U.S. companies are in a bind in the wake of the recent EU decision rejecting the validity of the Privacy Shield. While it is clear that the EU will not accept Privacy Shield participation as a basis for transferring data from the EU to the U.S., next steps for participants are unfortunately not clear cut. U.S. companies who participate in the Shield program face two decisions: (1) whether to continue participation in the Privacy Shield program and (2) what mechanism to rely on for data transfers from the EU to the U.S.
Companies may thus For those companies who have considered removing references to the Privacy Shield from their website privacy policies, they may find that they need to reference both their Privacy Shield participation and another data transfer mechanism in their privacy policies to address the U.S. issues. To the extent that a company wants to consider withdrawing from the Privacy Shield, they may want to wait to see if the Department of Commerce issues any direction. Currently, under the terms of the program, withdrawing companies must complete a questionnaire at the time of withdrawal and then annually, to verify that information collected while in the Shield program continues to be treated under the terms of the program.
Putting it Into Practice: U.S. companies who are current participants in the Privacy Shield program may want to wait before making a decision about whether or not to withdraw. In the meantime, keep in mind the disclosure obligations that exist under the terms of the program when assessing your EU-U.S. data transfer mechanisms. Stay tuned for our next article, discussing the view of the Shield’s demise from the EU perspective and the status of potential alternate data transfer mechanisms.