Picks of the Week: What the new EU-US Privacy Shield means for your company
Europe Approves New Trans-Atlantic Data Transfer Deal | The New York Times
EU-US Privacy Shield Agreement Goes into Effect | The Verge
The recently-approved EU-US Privacy Shield—a new agreement for the legal transfer of personal data from the EU to the US—replaces the prior Safe Harbor agreement, which was invalidated by the Court of Justice of the EU (CJEU) in 2015, and changes how data is shared between the two continents. The previous framework had allowed US companies to self-certify that they would comply with more stringent EU data protection standards when transferring data from the EU to the US. But in the wake of the Edward Snowden disclosures and mounting concerns over US government surveillance programs, the Safe Harbor agreement came under increased scrutiny in Europe for failing to provide sufficient protections for individuals and their personal data, and was ultimately declared illegal by the CJEU.
The new Privacy Shield aims to address those concerns, ensuring that online data—from social media posts and search queries to information about workers’ pensions and payroll—transferred from the EU to the US abides by sufficient levels of privacy protection and provides legal clarity for businesses that depend on transatlantic data transfers.
So, what will change for US companies doing business in the EU?
Beginning this August, US companies collecting employee and customer data from the EU will be able to self-certify with the US Department of Commerce that they are compliant with the new data protection rules.
Information about data processing: participant companies must publish a declaration of commitment to comply with the Privacy Shield principles, enforceable under US law, and include a link to the US Department of Commerce’s Privacy Shield website and a complaint submission form.
Free and accessible dispute resolution: companies must respond to individual complaints within 45 days and must provide, at no cost, an independent recourse mechanism. Participants must also commit to binding arbitration at the individual’s request to address any complaint that has not been resolved by other mechanisms.
Cooperating with the US Department of Commerce: participants must respond promptly to inquiries and requests by the US Department of Commerce for information relating to the Privacy Shield.
Maintaining data integrity and purpose limitation: participants must limit personal data use to the information relevant for the purposes of processing and must comply with a new data retention principle.
Transferring data to third parties: companies wishing to share personal data with third parties (e.g., vendors) must obtain assurances that the third party can provide the “same level of protection” for the data. If a third party can no longer ensure the appropriate level of data protection, it must inform the company.
Following the demise of Safe Harbor in 2015, many US-based organizations—and especially large tech vendors, such as Amazon, Google, IBM, and Oracle, among others—who previously benefited from the regime, found alternative ways to get around EU data sovereignty and privacy concerns by offering EU model contract clauses for their customers or even by building data centers inside Europe. These practices allow users to restrict the flow of data to stay inside Europe, or even inside a specific data center, in case the information is restricted from leaving any specific EU country. – Francesca Spidalieri, Senior Fellow for Cyber Leadership