On July 12, 2016, the European Commission approved the new EU-U.S. Privacy Shield to replace the invalidated Safe Harbor program with a new data transfer mechanism.
U.S. companies with European Union (EU) operations often transfer personal information about their employees or customers from the EU to the United States. Because the EU data privacy directive, with some limited exceptions, generally prohibits cross-border transfers of personal data outside of the EU, many U.S. companies relied on the old Safe Harbor program as the mechanism for making such transfers legal. After the invalidation of the Safe Harbor program, U.S. companies were forced to rely on either standard contractual clauses or binding corporate clauses as the mechanism for such transfers, neither of which were ideal because they were either too cumbersome (standard contractual clauses) or required a lengthy amount of time to put in place (binding contractual clauses). The Privacy Shield now provides an alternative.
If your company wants to take advantage of the new Privacy Shield framework, your company will need to:
- Self-certify compliance with the EU privacy principles and renew that certification annually.
- Review and possibly update its existing privacy policies, train its workforce and then objectively monitor for compliance going forward.
- Enter into a binding contract with any other organization, whether an affiliate or a contractor, with which you share personal data transferred from the EU that requires the other organization’s compliance with the Privacy Shield requirements. Keep in mind that in most instances, your company will remain liable if the other organization fails to live up to its obligations, meaning due diligence and ongoing monitoring will be important.
- Respond promptly to complaints about the use of EU personal data, which may include making alternative dispute resolution available without charge and responding to EU data protection authority investigations.
We expect more information to become available in the coming days and weeks as both the EU and the U.S. Department of Commerce post guidance on how to comply with the new Privacy Shield framework. We also expect legal challenges to the new framework. While these challenges will take some time to work through the courts, companies interested in the Privacy Shield will have to consider the possibility that the framework may be invalidated when deciding whether the Privacy Shield is more attractive than standard contractual clauses or binding corporate clauses.
If you need assistance with Privacy Shield compliance, please contact Norbert F. Kugele at firstname.lastname@example.org or 616.752.2186, Kenneth A. Coleman at email@example.com or 616.752.2708 or any other member of the Warner Data Solutions Group.