Update on Privacy Shield

[featured-text]We just returned from the TEMIA bi-Annual event and CTIA Mobility Conference held in Las Vegas.[/featured-text]

Of course the show was wild… so many cool gadgets from droids to auto-pay refrigerators.  However, what we spent a fair bit of time exploring was how BREXIT and Privacy Shield rules might impact the many legacy Safe Harbor companies. While touring the show we were amazed by all the bright and shiny objects, but realized when we return we will be faced with helping our customers sort out their options around the new Privacy Shield launch.

We made it a point to open discussions with the Carr and Ferrel and Kelly, Drye and Warren law firms about the recent launch of the Privacy Shield and pick their brains around how legacy companies will be affected.

We learned it has been exactly two weeks following the launch and the National Telecommunications & Information Administration (NTIA) has a self-certification system to speed companies through the process. One of our first questions was will legacy customers have to reapply? The answer was yes! Wow…they went on to inform me that so far there have been less than 42 company listings. They said there are a couple hundred more to follow but this is a lot lower than the 4000+ apps under the former Safe Harbor agreement!

The Department of Commerce began accepting certifications on August 1, 2016, and so the opportunity to take advantage of the grace period closes on September 30, 2016. It permits companies nine months from the date they certify to the Privacy Shield to negotiate amendments to their third party contracts with all vendors or other business partners that receive personal data from the certifying company. To satisfy and include sufficient safeguards for the privacy of EU personal data in the hands of U.S. organizations European Commissioners states that the Privacy Shield will impose clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced.

Our sources indicated that the biggest question will be who will join the Privacy Shield (PS). There is a self-certification portal and forms to fill out to apply. The annual fees range from $250 to $3,500 per year depending on the size of the company. There is also an annual assessment for the new U.S. arbitral panel under the PS which is still to be established. Many U.S. companies are waiting before signing up due to the following:

[Source: extracted from NTIA site]

• The uncertainty as to whether the PS will be challenged in European courts, similar to the Safe Harbor Principles that the European Court of Justice invalidated last October;
• a reluctance to jump ahead of a competitor and go on the public PS list;
• the efforts it takes for a US company to ensure compliance with the PS requirements,
• lack of guidance by the NTIA and the Federal Trade Commission (FTC) on various details and consequences of a participation;
• the reluctance to submit a self-certification that is thereafter scrutinized not only by the European Data Protection Agencies and EU data protection activists, but also in the United States by the FTC or the Department of Transportation;
• uncertainty to what extent individuals from the EU and EU regulators will actually demand access to the relevant EU personal data under the PS and ultimately file complaints and how much effort a response may take, and
• uncertainty about who is eligible to participate and who is excluded from the PS (e.g. telecoms carriers).

From the research we have done, it appears that U.S. companies processing EU personal data frequently misunderstand what they can achieve by a self-certification under the PS. Their self-certification does not replace their company’s full compliance with the local data protection laws in the EU. NTIA SITE STATED: All the PS can achieve is to put the data importer (the U.S. company) legally equal with the data exporter in Europe. One of the attorneys gave us this example: “If a U.S. health care provider imports “e-health” data (patient records, etc.) from Spain, both companies must abide by applicable law for such data sets in Spain. The PS is to function more like a conduit to bring personal data that have been legally collected from Europe into the United States.”

There will be more to follow as we get further into this process. Stay tuned!