U.S. organizations transmitting personal information across the Atlantic can breathe a sigh of relief – sort of. The U.S. and E.U. agreed this month to a new framework designed to protect the online privacy of E.U. citizens and to mitigate legal exposure for U.S. entities transmitting personal information across the Atlantic. The agreement, known as Privacy Shield, replaces Safe Harbor, a fifteen-year-old privacy agreement, was ruled illegal by the Court of Justice of the European Union (“CJEU”) - the highest EU court, last October.
This developing area of the law is often not on the radar of nonprofit organizations. In fact, many nonprofits are not eligible to participate in Privacy Shield and its Safe Harbor predecessor. However, as discussed below, Section 501(c)(6) trade associations and certain other nonprofit entities should qualify to enjoy the legal protections available under these legal frameworks. Since the abrogation of Safe Harbor, many eligible nonprofits have faced uncertainty regarding the legal status of their transatlantic data transfers. The new replacement Privacy Shield promises to both protect E.U. citizens’ personal information and shelter U.S. qualifying nonprofits and other entities who comply with its terms.
It may be too soon to celebrate, however. Specific terms and conditions of Privacy Shield have not yet been disclosed. Furthermore, it is not clear that the new agreement will pass legal muster with E.U. Data Protection Authorities (“DPAs”) once the details are published. Until this occurs, U.S. organizations conducting transatlantic transfers of personal information remain in murky legal waters. During this time of uncertainty, U.S. organizations should continue to implement alternative legitimization mechanisms (discussed below).