Skip to main content

Publications

Jul 2016
14
July 14, 2016

New Privacy Shield Approved: Now What?


On July 12, 2016, the European Commission approved the new EU-U.S. Privacy Shield to replace the invalidated Safe Harbor program with a new data transfer mechanism.

U.S. companies with European Union (EU) operations often transfer personal information about their employees or customers from the EU to the United States. Because the EU data privacy directive, with some limited exceptions, generally prohibits cross-border transfers of personal data outside of the EU, many U.S. companies relied on the old Safe Harbor program as the mechanism for making such transfers legal. After the invalidation of the Safe Harbor program, U.S. companies were forced to rely on either standard contractual clauses or binding corporate clauses as the mechanism for such transfers, neither of which were ideal because they were either too cumbersome (standard contractual clauses) or required a lengthy amount of time to put in place (binding contractual clauses). The Privacy Shield now provides an alternative.

If your company wants to take advantage of the new Privacy Shield framework, your company will need to:
  • Self-certify compliance with the EU privacy principles and renew that certification annually.
  • Review and possibly update its existing privacy policies, train its workforce and then objectively monitor for compliance going forward. 
  • Enter into a binding contract with any other organization, whether an affiliate or a contractor, with which you share personal data transferred from the EU that requires the other organization’s compliance with the Privacy Shield requirements. Keep in mind that in most instances, your company will remain liable if the other organization fails to live up to its obligations, meaning due diligence and ongoing monitoring will be important.
  • Respond promptly to complaints about the use of EU personal data, which may include making alternative dispute resolution available without charge and responding to EU data protection authority investigations.
We expect more information to become available in the coming days and weeks as both the EU and the U.S. Department of Commerce post guidance on how to comply with the new Privacy Shield framework. We also expect legal challenges to the new framework. While these challenges will take some time to work through the courts, companies interested in the Privacy Shield will have to consider the possibility that the framework may be invalidated when deciding whether the Privacy Shield is more attractive than standard contractual clauses or binding corporate clauses.

If you need assistance with Privacy Shield compliance, please contact Norbert F. Kugele at nkugele@wnj.com or 616.752.2186, Kenneth A. Coleman at kcoleman@wnj.com or 616.752.2708 or any other member of the Warner Norcross Data Solutions Group.
 

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.

ACCEPTCANCEL

Text

+ -

Reset