We are now two months into Europe’s new General Data Protection Regulation (“GDPR”), which extends the jurisdictional scope of European data protection law. As a result, GDPR applies extraterritorially to any organization that can be reached by an EU citizen. GDPR imposes harsher data protection requirements that give way to substantial penalties for non-compliance, which include administrative fines up to 4% of annual worldwide revenue. These steep fines have forced businesses across the U.S. (and the world) to reconsider their EU business strategy. Additionally, many companies are compelled by their clients or partners to comply with GDPR. Fortunately, and for the time being, there is an alternative regulatory mechanism that allows U.S. businesses to conform to EU data transfer laws.
The EU-U.S. and Swiss-U.S. Privacy Shield
In July 2016, the U.S. Department of Commerce and the European Commission approved the EU-U.S. Privacy Shield Framework while the Swiss Administration approved the Swiss-U.S. Privacy Shield in July 2017 (collectively, the “Privacy Shield”). The Privacy Shield, which serves as an adequacy decision under GDPR, is a data protection framework that allows companies on both sides of the Atlantic to transfer personal data from the EU to the U.S. The Privacy Shield replaced the U.S.-EU Safe Harbor Framework (the “Safe Harbor”) after the Safe Harbor was struck down by the Court of Justice of the European Union in October 2015. The Privacy Shield’s purpose is to bridge the different privacy protections afforded to U.S. and EU citizens. The Privacy Shield Principles include the data subject’s right to be informed; limitations on the use of the data subject’s data for different purposes; obligations to secure the data subject’s data; obligations to protect the data subject’s data if transferred to another company; the data subject’s right to access and correct their data; the data subject’s right to file a complaint and obtain a remedy; and redress in case of access by U.S. public authorities. Companies may undertake Self-Certification (often with the assistance of counsel) and the U.S. Department of Commerce is in charge of issuing Self-Certification determinations. U.S. Participants in the Privacy Shield are subject to the Federal Trade Commission’s broad jurisdiction.
Should I Get Self-Certified?
In light of the stricter regulation of European data transfers to the U.S., not complying with the necessary data protection laws may impact your ability to adequately cater to European customers, or to partner with or provide services to other US entities that are subject to GDPR. Accordingly, for many businesses, there are significant motivators to comply.
A company may be eligible to certify to the Privacy Shield if it transfers EU or Swiss personal data to the U.S., or receives or accesses EU or Swiss personal data. At the core, seeking Privacy Shield Self-Certification is a business decision requiring an understanding of how and at what frequency your business interacts with EU data.
While thousands of companies are enjoying the benefits of the Privacy Shield, it is worth noting that on July 5, 2018, the members of European Parliament called for a suspension of the Privacy Shield unless the U.S. fully complies with GDPR by September. All eyes will be on the European Commission as the September Privacy Shield annual review approaches.
Compliance is a moving target. The regulatory framework for privacy worldwide is evolving. Numerous government and consumer agencies, as well as public advocacy groups, have called for new regulation coupled with changes in industry practices. Further, new laws and regulations will be adopted in and around the United States, as most recently seen in California, and existing laws and regulations may be interpreted in new ways. Navigating the data privacy regulatory landscape is complex and requires continual monitoring.