October 19, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

October 17, 2019

Subscribe to Latest Legal News and Analysis

Privacy Shield Alert: Onward Transfer Grace Period Ends September 30

The EU-US Privacy Shield became operational on August 1, 2016; a nine-month grace period for compliance with the onward transfer requirements applies for organizations that sign up to the Privacy Shield prior to October 1, 2016.

Since August 1, US businesses have been able to self-certify compliance with the Privacy Shield principles in order to receive personal data from European Union-based businesses or consumers without specific consent or special agreements (see our previous post for more detail).

Organizations that self-certify must first develop a privacy policy that conforms to the Privacy Shield principles, which include

  • providing individuals with a mechanism to “opt out” of disclosures of their personal data to third parties or for secondary uses of their personal data; 

  • signing up to a third-party dispute resolution provider or committing to cooperate with the European data protection authorities;

  • setting up procedures for annual assessments, internal dispute resolution, and re-certifications; and

  • paying all relevant fees.

The privacy policy must be made publicly available (typically on a website) and must include a statement to confirm that the business adheres to the Privacy Shield principles. A business must then make a submission to the US Department of Commerce.

The principle relating to the onward transfer of personal data is one that was criticized as being ineffective under the now-invalid EU-US Safe Harbor program. This principle applies where organizations pass on personal data from the European Union to third parties. Under the Privacy Shield, it is necessary for organizations to review and, if necessary, update their agreements with such third parties to ensure that an adequate level of protection of this onward-transferred personal data is provided for the benefit of the relevant individuals. This includes ensuring that data is only processed for limited, specified purposes consistent with the original consent and notifying the company if it can no longer meet the obligation and, if so, to either cease processing or take other reasonable and appropriate steps to remediate.

The process of reviewing and updating these third-party contracts can be time consuming. Therefore, the special concession allows all organizations that self-certify compliance with the Privacy Shield prior to October 1, 2016 a period of up to nine months from the date of their self-certification to comply with the Privacy Shield principles relating to the onward transfer of personal data.

With that concession due to expire on September 30, 2016, organizations that self-certify from next week will need to have their onward transfer agreements—after the appropriate due diligence—in place at the time they self-certify compliance with the Privacy Shield principles.

Copyright © 2019 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Pulina Whitaker, Morgan Lewis, labor and employment lawyer
Partner

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...

+44.20.3201.5550
Matthew Howse, Employment law attorney, Morgan Lewis
Partner

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

44 (0)20 3201 5670
Dr. Axel Spies, Telecommunications and technology lawyer, Morgan Lewis
Special Legal Consultant

Dr. Axel Spies has advised clients for many years on various international issues, including licensing, competition, corporate issues, and new technologies such as cloud computing. He counsels on international data protection (EU General Data Protection Regulation), international data transfers (Privacy Shield), healthcare, technology licensing, e-discovery, and equity purchases. A member of the Sedona Conference on Electronic Discovery, Dr. Spies is frequently quoted in the media for his telecommunications and privacy knowledge.

202-373-6145