Japanese companies may have European branches or subsidiaries that send personal data to the US or that may be accessed by entities in the US, including customer, employee or marketing information. A cross-border data transfer mechanism is necessary to accomplish this, to comply with EU data protection laws and rules.

What is the Privacy Shield?

The EU-US Privacy Shield Framework was designed by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with European Union data protection requirements when transferring EU Personal Data from the European Union to the United States. More than 2,200 organizations have already self-certified under the Privacy Shield, and we anticipate that the number will continue to increase.

As of August 1, 2016, the US-EU Privacy Shield replaced the defunct Safe Harbor for data transfers from the European Union to the United States.

Some organizations have adopted different approaches in addressing Privacy Shield requirements, often wrestling with how to achieve compliance. Others have turned to mechanisms such as EU Model Clauses or even adopting a wait-and-see non-compliant posture.

EU "Personal Data" is defined quite broadly and means any information relating to an identified or identifiable natural person. Examples of personal data are name, identification number, location data, an online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity.

The Privacy Shield Principles lay out a set of requirements governing participating organizations' use and treatment of EU Personal Data received from the European Union under its Framework. It also sets forth the access and recourse mechanisms that participants must provide to individuals in the European Union. Once an organization publicly commits to comply with the Privacy Shield Principles, that commitment is enforceable under US law – with possible US Department of Commerce audits. It also mandates a third-party vendor management system so that the organization conforms its contracts with third-party processors and third-party controllers to the new onward transfer requirements.

What is the Privacy Shield How-To Kit?

The Privacy Shield How-To Kit was created by McDermott Will & Emery to help organizations prepare for and self-certify compliance with the EU-US Privacy Shield Framework.

The How-To Kit is intended for use by previously Safe Harbor-certified organizations and those that are not yet certified.

  • For organizations that previously were Safe Harbor certified, this How-To Kit contains tools to help perform a gap analysis between an organization's current policies and practices, and the heightened requirements of the new Privacy Shield. This exercise will help the organization identify the specific compliance steps that must be taken prior to self-certifying.
  • For organizations not previously Safe Harbor-certified, the Privacy Shield How-To Kit outlines the necessary steps to assess preparedness and create a Privacy Shield compliance program from the outset.

Certifying under Privacy Shield by using this How-To Kit may also give organizations a head start in preparing for compliance with the EU General Data Protection Regulation (GDPR). The GDPR will become applicable in May 2018 and will apply to US companies providing goods and services to the European market.

What Does the Privacy Shield How-To Kit Contain?

The Privacy Shield How-To Kit includes model documents, explains implementation strategies and sets forth a roadmap for enrolling in the Privacy Shield. It also contains practical templates an organization can use to assess its readiness to self-certify compliance with the Privacy Shield Principles, including a data inventory, a vendor due diligence questionnaire and models of vendor template contractual provisions.

The How-To Kit contains the following documents and templates that will help an organization assess and advance its current compliance status with Privacy Shield requirements:

  • The Privacy Shield Work Plan will help an organization track and document its progress toward compliance with each Privacy Shield principle;
  • The Privacy Shield Data Inventory is a tool to assess the organization's EU Personal Data collection activities that fall within the scope of Privacy Shield;
  • The Privacy Shield Privacy Policy Checklist is to be read alongside the organization's Privacy Policy to ensure that it contains all of the required elements;
  • The Third-Party Due Diligence Questionnaire will help an organization gather necessary information about its current third party vendor arrangements;
  • The Vendor Template Provisions are a guide for revising and supplementing an organization's vendor contracts to bring these contracts into compliance with Privacy Shield;
  • Guidance on Independent Recourse Mechanisms will assist an organization in choosing third-party independent recourse mechanism required under the Recourse, Enforcement and Liability Principle; and
  • Additional Resources about Privacy Shield explain certain Privacy Shield principles and Department of Commerce guidance.

Privacy Shield certification planning and use of this How-To Kit may be done under attorney-client privilege. Counsel should be involved in the preparations for certification.

This How-To Kit may also be used as guidance to certify under the Swiss-US Privacy Shield Framework, as the principles under both frameworks include similar requirements. There are slight differences between the frameworks and the organization must consider these differences prior to certification.

Privacy Shield Implementation And How-To Kit From McDermott Will & Emery

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.