The EU Commission has formally adopted Privacy Shield and the US Department of Commerce will go live with a new Privacy Shield registration website on August 1. US companies that had been registered under Safe Harbor will need to complete a new internal review, self-certification and registration to take advantage of Privacy Shield.
Much of the negotiation of Privacy Shield has focused on enforcement and oversight of the program by US authorities (as well as on the US intelligence agencies’ own collection and use of EU personal data). Companies that are already familiar with Safe Harbor will find Privacy Shield’s general privacy principles to be very similar. However, companies will want to take note of the more stringent conditions for onward transfers to third parties, which are likely to require companies to review their contracts with service providers and business partners. Companies will also need to scrutinize their data retention practices carefully. Overall, annual data protection reviews will be necessary as part of continued self-certification. The Department of Commerce is expected to take a more active role in proactively monitoring compliance, so companies will need to be prepared for inspections even if no complaints have been made.
The final version of Privacy Shield and its appendices, along with a press release and FAQ, are available here.