1) CLIENT ALERT
March 1, 2016
European Commission Releases Details of EU­ U.S.
Privacy Shield
SPEED READ
The European Commission released its long­awaited draft adequacy decision for the EU­U.S. Privacy Shield, a major step
towards the formal approval of the program that is to replace the invalidated Safe Harbors program. The release follows
commitments by U.S. authorities to monitor and enforce the principles of the Privacy Shield. Adoption of a final decision could
happen as early as Summer 2016. Once formally adopted, the program is likely to serve as an important data transfer
mechanism option for the more than 4,000 U.S. companies that had been Safe Harbors participants, as well as for other
American companies looking for a mechanism that will allow them to receive transfers of data from Europe.
On February 29, 2016, the European Commission and the U.S. Department of Commerce each released materials detailing the EU­U.S.
Privacy Shield (the “Privacy Shield”), the program that will replace the Safe Harbor framework that was invalidated by the October 6 Schrems
decision of the European Court of Justice.
Among the key differences between the Privacy Shield and Safe Harbors, the Privacy Shield will impose stronger obligations on
companies in the U.S. to protect the personal data of residents of the countries that comprise the European Economic Area (“EEA”). It
requires stronger monitoring and enforcement by U.S. authorities, including through increased cooperation with the data protection
authorities (“DPAs”). This arrangement also includes commitments and assurance by the U.S. authorities that its access to personal data
transferred under the new arrangement will be subject to clear conditions, limitations and oversight.
The Privacy Shield is based upon the following principles which are remarkably similar to the seven principles that formed the foundation of
Safe Harbors: notice; choice; accountability for onward transfers; security; data integrity and purpose limitation; access; and recourse,
enforcement and liability. The Privacy Shield also introduces an additional 16 supplemental principles, which include principles regarding
sensitive data, journalistic exceptions, human resources data and performing due diligence and conducting audits.
The European Commission released a draft adequacy decision, a communication presenting recent developments since it issued its 13
recommendations regarding the EU Safe Harbor in 2013, a fact sheet and a FAQ. The draft adequacy decision is the proposed
determination by the European Commission that U.S. participants in the Privacy Shield provide an adequate level of protection of personal
data. With the exception of Safe Harbors and now the Privacy Shield, all other adequacy determinations have been made with respect to
particular countries. It is important to note that the United States itself still has not been determined to be a country that provides adequate
protection to personal data. The Commission’s draft adequacy decision would only apply to American companies that are registered
Privacy Shield participants.
The draft adequacy decision must be approved by the comitology procedure, which involves a non­binding opinion from the Article 29
Working Party (expected in the coming weeks), a binding opinion from the EU Member State representatives, and a formal adoption of the
adequacy decision by the EU College of Commissioners, the last expected perhaps as early as June. The European Parliament and the
European Council may request that the Commission amend or withdraw the adequacy decision at any time prior to its adoption. In the
meantime, on this side of the Atlantic, U.S. officials will make the necessary preparations to put in place the new framework and requisite
monitoring and ombudsperson mechanisms.
While the Commission’s release was met with criticism from some privacy advocates who have questioned whether the Privacy Shield
adequately addresses the deficiencies in Safe Harbors that led to its invalidation, there is now strong momentum for a binding data transfer
safe harbor for U.S. companies. Compliance with the new arrangement, however, will require greater privacy transparency for certified
entities, enhanced dispute resolution mechanisms, and conformity of subcontracting agreements with the principles. Companies that
expect to pursue certification should consult their privacy counsel to discuss the details of the Privacy Shield and analyze how it compares
with the other options for legitimizing cross­border data transfers from the EEA to the United States. In addition, it seems that it will be at
least several more months before companies will be able to register for the Privacy Shield. During that time, it will be essential to continue
to ensure that data transfers are legitimized through other mechanisms, such as agreements based upon the model clauses.
Goodwin Procter’s privacy and cybersecurity team will continue to monitor developments as they occur and will provide updated information
on the new Privacy Shield program as it becomes available. In the meantime, if you have any questions about the program, please feel free
to reach out to any member of our privacy and cybersecurity team. You can also read our previous client alerts on the Privacy Shield
framework and the invalidation of the Safe Harbor program.
Authors: Lynne B. Barr, Brenda R. Sharton, William E. Growney, Jr., Jacqueline Klosek
GET IN TOUCH
For more information about the contents of this alert,
please contact:
Lynne Barr
Partner
+1 617 570 1610
lbarr@goodwinprocter.com
Brenda Sharton
Partner
+1 617 570 1214
bsharton@goodwinprocter.com
2) William Growney, Jr.
Partner
+1 650 752 3203
wgrowney@goodwinprocter.com
Jacqueline Klosek
Counsel
+1 212 459 7464
jklosek@goodwinprocter.com
© 2016 Goodwin Procter LLP. All rights reserved. This informational piece, which may be considered advertising under the ethical rules of
certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice
by Goodwin Procter LLP, Goodwin Procter (UK) LLP or their attorneys. Prior results do not guarantee similar outcome.
Goodwin Procter LLP is a limited liability partnership which operates in the United States and has a principal law office located at 53 State
Street, Boston, MA 02109. Goodwin Procter (UK) LLP is a separate limited liability partnership registered in England and Wales with
registered number OC362294. Its registered office is at Tower 42, 25 Old Broad Street, London EC2N 1HQ. A list of the names of the
members of Goodwin Procter (UK) LLP is available for inspection at the registered office. Goodwin Procter (UK) LLP is authorized and
regulated by the Solicitors Regulation Authority.
2