Guest Article from Global Z International: EU-US Privacy Shield Brings Major Changes for Global Data Processors

Are you ready for the new “Privacy Shield” regulations? The new European Union-United States agreement will bring some major changes for American businesses that process European customer data.

On July 12, the European Commission (EC) adopted the new EU-US. Privacy Shield (formerly known as EU-US Safe Harbor). The new Privacy Shield framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States, as well as bringing legal clarity for businesses relying on transatlantic data transfers.

Privacy Shield is a voluntary self-certification to the US Department of Commerce. Once a company publicly commits to Privacy Shield, it is enforceable under US law. It includes multiple avenues of redress to resolve complaints. The agreement is a ‘living commitment’ with annual reviews. Companies who certify with Privacy Shield must select an independent dispute resolution organization that includes the following criteria:

• Panel created by the EU Data Protection Authorities (DPA’s)
• Accredited organization in EU
• Accredited organization in US

According the press release issued by the European Commission, EU-US Privacy Shield is based on the following principles:

• Strong obligations on companies handling EU data;
• Clear safeguards and transparency obligations on US government access;
• Effective protection of individual rights;
• Annual joint reviews between EC and US Department of Commerce.

Going forward the Privacy Shield framework will be published in the US Federal Register and the US Department of Commerce will start operating the Privacy Shield immediately. Once US companies have had an opportunity to review the framework and update their compliance, they will be able to certify with the Commerce Department starting August 1, 2016. Companies should also assess Privacy Shield’s impact on their EU-US data transfer strategy. In particular, there is a limited “grace period” available in that companies who self-certify within two months of Privacy Shield’s effective date will be given a nine month transitional period to address relationships with third parties.

For more information regarding the Privacy Shield framework please see the US International Trade Administration’s press release. Also, the US Department of Commerce has issued a “Fact Sheet” overview of the EU-US Privacy Shield Framework it can be viewed here.

The Privacy Shield will be complex; we strongly recommend consulting legal counsel with international privacy law expertise.  If you would like to discuss Privacy Shield in greater detail and/or the specific impact on your company feel free to contact us.

— by Ted Haas, Chief Marketing Officer, Global-Z International

For more information, please contact Paul Harris at pharris@globalz.com