EU-U.S. Privacy Shield Data Transfer Principles—Holding the Line

On July 12, the European Commission finally adopted its Adequacy Decision on the EU-U.S. Privacy Shield, which provides a new compliance framework for U.S. organisations that wish to “import” personal data from the European Union. The Adequacy Decision replaces the U.S.-EU Safe Harbor Framework that was invalidated by the Court of Justice of the European Union on Oct. 6, 2015.

U.S. companies have been able to certify with the U.S. Department of Commerce (DoC) from Aug. 1. Once certified, they appear on a public list published by the DoC. Organisations that submitted their self-certification application by 30 September, 2016 (and that are engaged in the onward transfer of personal data received from the EU) have a nine-month grace period to bring their existing third party contracts into line with Privacy Shield requirements.

So, by now, more than 500 organisations are likely to have received confirmation of approval of their self-certification application. In some cases, there has been a degree “to-ing and fro-ing” between the DoC and the relevant organisation in relation to the content of its privacy policies—which indicates that the DoC is looking carefully at whether organisations are meeting the relevant Privacy Shield requirements.

The receipt of this approval is, however, only the beginning of the story. In order to ensure ongoing adherence to Privacy Shield Principles, organisations need to make sure that appropriate policies and procedures are in place, and that they take appropriate steps vis-á-vis third party contracts.

Practical Steps That Organisations Should Take

So what does the battle plan look like? There are a number of practical steps that Privacy Shield-certified organisations will need to take.

Privacy Policies

As part of the self-certification process, organisations will have submitted Privacy Shield-compliant policies to the DoC. To the extent that any material changes are made to these policies post-certification, organisations should notify affected individuals (in accordance with any notification procedure indicated in the policy).

The updated public-facing policy should be available at the same url as that provided to the DoC at the time of self-certification. If any material changes have been made to the HR privacy policy, the DoC should be made aware that the policy has been updated and a revised copy of the policy should be made available to the DoC.

Source: EU-U.S. Privacy Shield Data Transfer Principles—Holding the Line