Privacy Shield Considerations for Technology and Biotechnology Companies
For companies that deal with data transfers from the EU to the US, the invalidation of the US-EU Safe Harbor framework in October 2015 has meant that this year have been filled with legal uncertainties about the status of their EU data transfers. Many of these clients scrambled to put model contracts in place. Following the European Commission approval of the EU-US Privacy Shield earlier this month, companies are still unclear about whether self-certification under the Privacy Shield is the best way to proceed. There is no "easy" answer to this question.
Our technology and biotechnology clients, in particular, have been paying attention to this issue because many conduct clinical trials abroad and then need to import the data to the US. Technology companies confront these issues if they have offices or clients in Europe and need to send data between the US and EU.
For some of these companies, the model contracts they have in place may provide the most protection. Others may decide that binding corporate rules offer the best solution, although we see companies using these less frequently than the other options. The best approach for your company will depend on many specific facts about the company’s data transfers, but we have outlined some key components of the Privacy Shield below.
The Privacy Shield is a voluntary, self-certification program that will allow companies to transfer personal data from the EU to the United States. In developing the Privacy Shield, regulators intended to replace the Safe Harbor and also address a myriad of concerns surrounding the transfer of data from the EU to the US. Commentators have criticized the Privacy Shield, however, because they believe it will be subject to legal challenge and may not provide the certainty that many companies are seeking. Just within the past few days, 28 data protection authorities in the EU have now said that they will not challenge the Privacy Shield for at least a year. This assurance is comforting in the short term, but developing full compliance with the Privacy Shield will involve significant time and resources for most companies -- something they may be hesitant to do right now. Despite these uncertainties, the Department of Commerce expects that many companies will be self-certifying under the Privacy Shield.
If a company does decide that the Privacy Shield is the best choice, they are able to self-certify their compliance with the Privacy Shield, as of August 1, at www.privacyshield.gov. Although the process is similar to the Safe Harbor, the Privacy Shield contains many requirements that are more burdensome than those of the Safe Harbor. For example, companies must:
- Provide “effective and readily available independent recourse mechanisms” by which individuals can have complaints addressed regarding treatment of their personal data at no cost to the individual;
- Inform individuals of their rights to access their personal data and the requirement to disclose personal information in response to lawful requests by public authorities;
- If companies are collecting personal information for research purposes, they have to obtain informed consent from consumers that the data will be used for research purposes;
- Conduct “onward transfers” (i.e., a transfer of EU data to a third party) only pursuant to a contract that provides the same level of protection as the Privacy Shield;
- Respond to all complaints from individuals within 45 days and commit to binding arbitration at the request of the individual to address any complaint that has not otherwise been resolved.
It is also worth noting that the Department of Commerce and Federal Trade Commission will engage in “stronger monitoring and enforcement” of companies’ data protection practices.