U.S. companies are in a bind in the wake of the recent EU decision rejecting the validity of the Privacy Shield. While it is clear that the EU will not accept Privacy Shield participation as a basis for transferring data from the EU to the U.S., next steps for participants are unfortunately not clear cut. U.S. companies who participate in the Shield program face two decisions: (1) whether to continue participation in the Privacy Shield program and (2) what mechanism to rely on for data transfers from the EU to the U.S.

For the first, companies should keep in mind that the Department of Commerce and the FTC have both issued statements that -notwithstanding the EU decision- the Privacy Shield program has not been discontinued. Thus participants still need to follow the program’s requirements, which include “inform[ing] individuals about . . . [their] participation in the Privacy Shield” and providing a link to the Shield list. (See Privacy Shield Framework, 1(a)(i)). This of course would need to be balanced with the need, under GDPR, to disclose the basis under which information is transferred from the EU to the U.S. (GDPR Art. 13(1)(f)). Both of these requirements are usually addressed in the privacy policy. One of the questions that has arisen since the decision because of GDPR’s requirement has been: should we remove reference to the Shield in the policy since the EU doesn’t view it as a valid mechanism? However removing this would, given the requirements of the Shield program, mean a company would first have to withdraw from the Shield program.

Companies may thus For those companies who have considered removing references to the Privacy Shield from their website privacy policies, they may find that they need to reference both their Privacy Shield participation and another data transfer mechanism in their privacy policies to address the U.S. issues. To the extent that a company wants to consider withdrawing from the Privacy Shield, they may want to wait to see if the Department of Commerce issues any direction. Currently, under the terms of the program, withdrawing companies must complete a questionnaire at the time of withdrawal and then annually, to verify that information collected while in the Shield program continues to be treated under the terms of the program.

Putting it Into Practice: U.S. companies who are current participants in the Privacy Shield program may want to wait before making a decision about whether or not to withdraw. In the meantime, keep in mind the disclosure obligations that exist under the terms of the program when assessing your EU-U.S. data transfer mechanisms. Stay tuned for our next article, discussing the view of the Shield’s demise from the EU perspective and the status of potential alternate data transfer mechanisms.