Sep 92016

Evaluating the Dwindling Privacy Shield Grace Period

Colleen Theresa Brown, William RM Long, Alan Charles Raul and Cameron F. Kerry
, , , , ,

Now that we are into September, you may be hearing more about the Privacy Shield for transfers of personal data from the EU to the U.S., and in particular the 9 month “grace period” to fully implement the Privacy Shield for companies that certify within the first two months that the Privacy Shield is available for certification.   The Department of Commerce began accepting certifications on August 1, 2016, and so the opportunity to take advantage of the grace period closes on September 30, 2016.  This grace period does not, however, absolve companies of the responsibility to implement Privacy Shield principles and substantive obligations upon certification.  Rather, it permits companies nine months from the date they certify to the Privacy Shield to negotiate amendments to their third party contracts with all vendors or other business partners that receive personal data from the certifying company.

Companies that certify to the Privacy Shield must ensure that contracts reflect the strengthened standards for accountability for onward transfers.  When transferring personal data to a third party during the grace period, the Department of Commerce has specified that companies still must “(i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.”

Outside of the third party contracts requirements, the certifying company must have all the other Privacy Shield elements in place on the date of certification.  This may still be a significant effort even for companies that had previously been certified to the Safe Harbor program.

Many companies that had been Safe Harbor certified moved to a largely Model Contract-based transfer solution over the past year.  Nevertheless, many may still be evaluating the Privacy Shield, or seeing pressure from business partners or institutional clients to certify.  The U.S. and EU governments will be ramping up publicity on the Privacy Shield in the coming weeks, and a number of well known American companies are signing up, including Microsoft, Oracle, Salesforce and Google.  Accordingly, you may wish to take note of the grace period now and consider whether there are benefits to early adoption.  Whether or not the Privacy Shield ultimately is a good fit for your company, questions may arise from business partners, clients, or perhaps senior management on the Privacy Shield, and evaluating the opportunity now will allow you to articulate the rationale behind your company’s approach to the Privacy Shield, including this “grace period” offer.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

William RM Long

London

wlong@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Cameron F. Kerry

ckerry@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.