On July 12, 2016, the European Commission approved the new EU-U.S. Privacy Shield to replace the invalidated Safe Harbor program with a new data transfer mechanism.
U.S. companies with European Union (EU) operations often transfer personal information about their employees or customers from the EU to the United States. Because the EU data privacy directive, with some limited exceptions, generally prohibits cross-border transfers of personal data outside of the EU, many U.S. companies relied on the old Safe Harbor program as the mechanism for making such transfers legal. After the invalidation of the Safe Harbor program, U.S. companies were forced to rely on either standard contractual clauses or binding corporate clauses as the mechanism for such transfers, neither of which were ideal because they were either too cumbersome (standard contractual clauses) or required a lengthy amount of time to put in place (binding contractual clauses). The Privacy Shield now provides an alternative.
If your company wants to take advantage of the new Privacy Shield framework, your company will need to:
We expect more information to become available in the coming days and weeks as both the EU and the U.S. Department of Commerce post guidance on how to comply with the new Privacy Shield framework. We also expect legal challenges to the new framework. While these challenges will take some time to work through the courts, companies interested in the Privacy Shield will have to consider the possibility that the framework may be invalidated when deciding whether the Privacy Shield is more attractive than standard contractual clauses or binding corporate clauses.
If you need assistance with Privacy Shield compliance, please contact Norbert F. Kugele at nkugele@wnj.com or 616.752.2186, Kenneth A. Coleman at kcoleman@wnj.com or 616.752.2708 or any other member of the Warner Data Solutions Group.
