On Tuesday, the European Commission formally adopted the EU-US Privacy Shield, a new framework for governing personal data transfers between Europe and the United States. The Privacy Shield, which replaces the Safe Harbor transfer deal, implements safeguards on how US organizations can access the data of EU citizens.
Despite the fact that some that some argue adhering to European data protection laws in the US (where EU law does not have jurisdiction) is impossible without substantial reform of US laws, top representatives from each region assert otherwise.
In a joint statement on Tuesday, Commission Vice-President Andrus Ansip and Justice Commissioner Vera Jourova said the privacy shield imposes “clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”
Over the past few days, a lot of clients and colleagues have asked me what this announcement means for data privacy, compliance, and more. I thought it might be helpful to share some insights here.
Below are answers to five top questions around the EU-US Privacy Shield. Have more questions? Ask them in the comments section below.
1. How will the Privacy Shield process work?
US companies will register to be on the Privacy Shield list and self-certify that they meet the high data protection standards set out by the arrangement. They will have to renew their registration every year. The US Department of Commerce will monitor and actively verify that privacy policies are in line with the relevant Privacy Shield principles.
2. In what key ways does Privacy Shield differ from the old Safe Harbor agreement?
The Privacy Shield upholds Safe Harbor’s requirement for participating organizations to take appropriate measures to “protect data from loss, misuse, and unauthorized access.” But there are several ways in which the Privacy Shield differs:
3. How does the Privacy Shield affect third-party data transfers and agreements?
The Privacy Shield expands regulation of and accountability for third-party personal data transfers. In third-party contracts, certified organizations must specify that transferred personal data may only be processed for “limited and specified purposes” consistent with the data subject’s consent. All third parties must agree to provide the same level of protection as organizations certified under the privacy shield.
4. What are some key protections that participating organizations are required to provide to individuals?
Organizations participating in the Privacy Shield are required to notify individuals, in clear and conspicuous language, of:
5. Is my business required to sign up to the EU-US Privacy Shield?
Signing up to the Privacy Shield is technically voluntary. But if you don’t sign up, you will not be authorized to process any data from the EU in the US without permission from an end user or by using model clauses or binding corporate rules. Those options cost more time and money. Even if your company didn’t worry about Safe Harbor before, you should pay attention to the Privacy Shield. The definition of “personal data” has changed.
We’ve been following news of the Privacy Shield closely, and will continue to do so. Subscribe to our blog to stay up to date on key updates and suggested actions.