Evaluating the Dwindling Privacy Shield Grace Period

Now that we are into September, you may be hearing more about the Privacy Shield for transfers of personal data from the EU to the U.S., and in particular the 9 month “grace period” to fully implement the Privacy Shield for companies that certify within the first two months that the Privacy Shield is available for certification.   The Department of Commerce began accepting certifications on August 1, 2016, and so the opportunity to take advantage of the grace period closes on September 30, 2016.  This grace period does not, however, absolve companies of the responsibility to implement Privacy Shield principles and substantive obligations upon certification.  Rather, it permits companies nine months from the date they certify to the Privacy Shield to negotiate amendments to their third party contracts with all vendors or other business partners that receive personal data from the certifying company.

Companies that certify to the Privacy Shield must ensure that contracts reflect the strengthened standards for accountability for onward transfers.  When transferring personal data to a third party during the grace period, the Department of Commerce has specified that companies still must “(i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.”

Outside of the third party contracts requirements, the certifying company must have all the other Privacy Shield elements in place on the date of certification.  This may still be a significant effort even for companies that had previously been certified to the Safe Harbor program.

Many companies that had been Safe Harbor certified moved to a largely Model Contract-based transfer solution over the past year.  Nevertheless, many may still be evaluating the Privacy Shield, or seeing pressure from business partners or institutional clients to certify.  The U.S. and EU governments will be ramping up publicity on the Privacy Shield in the coming weeks, and a number of well known American companies are signing up, including Microsoft, Oracle, Salesforce and Google.  Accordingly, you may wish to take note of the grace period now and consider whether there are benefits to early adoption.  Whether or not the Privacy Shield ultimately is a good fit for your company, questions may arise from business partners, clients, or perhaps senior management on the Privacy Shield, and evaluating the opportunity now will allow you to articulate the rationale behind your company’s approach to the Privacy Shield, including this “grace period” offer.