If your company plans to join the Privacy Shield, if possible, you should try to self-certify by September 30, 2016. By doing so, you will be able to take advantage of a nine-month grace period to bring existing third-party relationships in conformance with the Accountability for Onward Transfer Principle. Why is this nine-month grace period significant, even for companies that have previously been in compliance with the U.S.-EU Safe Harbor? Because the Privacy Shield increases requirements for personal data transfers to third parties under its Onward Transfer Principle.
- Expanded Onward Transfer Requirements
The Privacy Shield legitimizes personal data transfers from the EU/EEA to a data importer in the U.S. If the Data Importer subsequently transfers data to another party, it must comply with the Privacy Shield’s Onward Transfer Principle.
Under the Safe Harbor, the Onward Transfer Principle did not address transfers of personal data to third parties who will act as controllers. The Privacy Shield explicitly requires the data importer to enter into contract with any third-party controllers. The contract must require the third-party controller to process the personal data for limited and specified purposes consistent with the data subject’s consent and to provide the same level of protection required by the Privacy Shield Principles.
The Privacy Shield also adds new requirements for Onward Transfers to third parties who will act as agents (i.e., processors). Unlike the Safe Harbor, the Privacy Shield requires a contract with the third-party processor—even if the third party is certified under the Privacy Shield or otherwise deemed “adequate.” The data exporter must transfer personal data only for limited and specified purposes; must ascertain that the third-party processor can meet privacy protection obligations required by the Privacy Shield Principles; and must implement measures to help ensure such protection. And, the data exporter must provide the Department of Commerce with a summary or representative copy of the contract’s relevant privacy provisions upon request.
- Conclusion: Time to Move On(ward) with Privacy Shield Certification
If your company plans to self-certify under the Privacy Shield Framework, you should do so by the end of September, if at all possible. It will likely take a long time to update (or draft) all of your third-party data transfer contracts. Although there is some lingering uncertainty with the Privacy Shield (including reports that Hamburg’s DPA in Germany would like to promptly challenge the Privacy Shield), we have previously blogged about the Article 29 Working Party’s intent to wait at least a year before evaluating the Privacy Shield. For U.S. companies that have not already implemented an alternative such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), the benefits of the Privacy Shield’s grace period should outweigh concerns about its longevity. The Schrems decision has left many companies searching for a path forward, but with the deadline approaching to take advantage of a nine-month grace period for Onward Transfers, it’s time for companies not fully covered by SCCs or BCRs to move onward with the Privacy Shield.