Privacy Shield Alert: Onward Transfer Grace Period Ends September 30

September 29, 2016

The EU-US Privacy Shield became operational on August 1, 2016; a nine-month grace period for compliance with the onward transfer requirements applies for organizations that sign up to the Privacy Shield prior to October 1, 2016.

Since August 1, US businesses have been able to self-certify compliance with the Privacy Shield principles in order to receive personal data from European Union-based businesses or consumers without specific consent or special agreements (see our July 2016 LawFlash and Privacy Shield Summary for more detail).

Organizations that self-certify must first develop a privacy policy that conforms to the Privacy Shield principles, which include

  • providing individuals with a mechanism to “opt out” of disclosures of their personal data to third parties or for secondary uses of their personal data; 
  • signing up to a third-party dispute resolution provider or committing to cooperate with the European data protection authorities;
  • setting up procedures for annual assessments, internal dispute resolution, and re-certifications; and
  • paying all relevant fees.

The privacy policy must be made publicly available (typically on a website) and must include a statement to confirm that the business adheres to the Privacy Shield principles. A business must then make a submission to the US Department of Commerce.

The principle relating to the onward transfer of personal data is one that was criticized as being ineffective under the now-invalid EU-US Safe Harbor program. This principle applies where organizations pass on personal data from the European Union to third parties. Under the Privacy Shield, it is necessary for organizations to review and, if necessary, update their agreements with such third parties to ensure that an adequate level of protection of this onward-transferred personal data is provided for the benefit of the relevant individuals. This includes ensuring that data is only processed for limited, specified purposes consistent with the original consent and notifying the company if it can no longer meet the obligation and, if so, to either cease processing or take other reasonable and appropriate steps to remediate.

The process of reviewing and updating these third-party contracts can be time consuming. Therefore, the special concession allows all organizations that self-certify compliance with the Privacy Shield prior to October 1, 2016 a period of up to nine months from the date of their self-certification to comply with the Privacy Shield principles relating to the onward transfer of personal data.

With that concession due to expire on September 30, 2016, organizations that self-certify from next week will need to have their onward transfer agreements—after the appropriate due diligence—in place at the time they self-certify compliance with the Privacy Shield principles.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Washington, DC
Axel Spies
Ronald W. Del Sesto

San Francisco
W. Reece Hirsch

Gregory T. Parks

Matthew Howse