With the European Commission’s (“EC”) approval of the U.S.-EU Privacy Shield Framework (“Privacy Shield) on July 12, 2016, many companies are rushing to self-certify to the new compliance mechanism for personal data transfers from Europe to the United States. By certifying in the first two months – by September 30, 2016 – organizations can take advantage of a nine-month grace period from the date they certify to bring their existing commercial relationships and agreements with third parties into conformity with the Accountability for Onward Transfer Principle.
There appears to have been, however, some initial confusion on two key points: (1) the end date for the deadline to receive a nine-month grace period for onward transfers, and (2) the effect of Privacy Shield on the U.S.-Swiss Safe Harbor Framework. (“Swiss Safe Harbor”).
1) September 30, 2016, Certification Deadline
There has been confusion among companies, law firms and consultants that believed September 12, rather than September 30, was the key date for certifying within the first two months of Privacy Shield. Although the EC approved Privacy Shield on July 12, 2016, the Department of Commerce (“Commerce”) began accepting self-certification submissions on August 1, 2016 – starting the two-month clock. We have confirmed with Commerce that September 30, 2016, is the key deadline. Companies that want to take advantage of Privacy Shield’s flexible, relatively inexpensive compliance framework should consider submitting their self-certifications by that time.
Paul Hastings’ Privacy and Cyber Implementation Solutions group has developed a simple five-step approach to quickly and cost-effectively achieve certification with the seven Privacy Shield Principles. To learn more about Privacy Shield, including the approaches being taken by others to meet the September 30th deadline, please contact us.
2) Effect on Swiss Safe Harbor Certification
Additionally, some have wondered about the status of the Swiss Safe Harbor and whether it has been impacted by Privacy Shield. Commerce has made clear that organizations joining Privacy Shield will be automatically withdrawn from the U.S.-EU Safe Harbor, but their participation in the Swiss Safe Harbor will not be affected. Accordingly, the Department’s FAQs recommend that organizations maintain an affirmative commitment to the Swiss Safe Harbor in relevant privacy policies unless they choose to withdraw from the Swiss Safe Harbor and notify Commerce of their withdrawal.
Thus, for now, absent any action from Switzerland to change course, companies seeking to continue transferring the data of Swiss citizens to the United States should maintain their Swiss Safe Harbor certifications.
PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.