In the world of data privacy law, when we refer to the “Privacy Shield,” we aren’t talking about a cardboard contraption to keep people from looking at your laptop screen. If you haven’t heard about it yet, the EU-US Privacy Shield is a newly proposed set of rules and regulations governing the legally authorized transfer of European residents’ personal data to the United States.
Why the new rules? In October 2015, the European Union Court of Justice invalidated the EU-US Safe Harbor Arrangement, a program that had been in place for 15 years to enable the legal transfer of personal data from EU countries to the United States. Recognizing the critical importance of a having a legal mechanism to cover cross-border data flows, the EU and US governments set to work to develop a new regulatory framework that would replace the Safe Harbor and satisfy EU data protection requirements. In February 2016, the EU Commission and US Commerce Department announced an agreement on a new framework for regulating EU-US personal data transfers, the so-called “Privacy Shield.”
Here is a summary of what you need to know now about the Privacy Shield program, and how you can prepare for the changes that this program will bring to your organization’s EU data privacy compliance obligations.
What is the EU-US Privacy Shield?
The Privacy Shield is a new legal framework under which EU residents’ personal data may be legally transferred to the United States. The new Privacy Shield structure replaces the Safe Harbor Arrangement, the prior data regulation framework which was struck down by the EU Court of Justice.
When will the new program enter into effect?
The Privacy Shield program is not up and running yet, because an EU Commission Working Party must first decide whether the program meets the requirements of EU data privacy law. This so-called “adequacy” decision is expected in the coming months.
What are the requirements?
The Privacy Shield is similar to the Safe Harbor in that it is a self-certification program — US companies will register for the program with the US Department of Commerce, and formally certify compliance with certain data privacy principles on an annual basis. The Privacy Shield arrangement, as agreed thus far, includes the following new requirements:
- Written commitments from the US Government that European residents’ personal data will not be subject to mass surveillance;
- Increased transparency requirements for US companies participating in the program;
- Multiple avenues for resolution of complaints, including alternative dispute resolution and the addition of an Ombudsman position at a high level in the US State Department; and
- Annual Review of the program by EU and US government representatives, as well as closer enforcement cooperation between EU Data Protection Authorities and the US Federal Trade Commission.
It is possible that these agreed-upon requirements may be revised, or new requirements may be added, before the EU Commission Working Party issues a final decision regarding the program’s adequacy under EU data privacy law.
What should I be doing now?
Stay tuned for the EU Commission Working Party’s decision regarding the adequacy of the Privacy Shield framework, and the formal rollout of the Privacy Shield program.
Conduct an inventory of systems and databases to catalog and document data flows containing EU residents’ personal data from EU countries to servers and systems located and/or US. Be sure to include systems and databases in which EU residents’ personal data is temporarily processed on systems/servers located in the US, even though the data may not remain or be stored there.
Utilize approved mechanisms to ensure privacy compliance for EU personal data transfers in the interim period while the Privacy Shield program is under review by the EU Commission Working Party. Standard Contractual Clauses and Binding Corporate Rules at this point are still considered valid mechanisms for compliance with the EU data privacy law. However, keep in mind that these programs may be subject to further review as well, and may have to be modified to reflect new commitments agreed to in the Privacy Shield program.
Begin preparing a plan to comply with new Privacy Shield requirements, including making preparations to register with the US Department of Commerce when the program launches, developing tools to ensure compliance with Privacy Shield obligations, and preparing to update existing privacy policies, procedures and compliance documentation to reflect the new regulatory scheme.
Now is the time to prepare for the Privacy Shield to avoid falling behind on EU data privacy compliance.
Lori Manca is a Washington, DC based corporate compliance consultant, helping clients develop compliance programs and resolve compliance questions and issues. For additional information about the Privacy Shield and EU data privacy requirements, or for assistance with other compliance matters, please contact Lori directly at email@example.com. Linked-in Article
The post above reflects the opinions of the author but does not constitute legal advice. Persons seeking legal advice should consult the attorney of their choice.