Last fall, the framework for personal data exchange between the European Union and the United States that had operated for many years—the so-called “Safe Harbor”—was struck down by the European courts. A new framework, the “Privacy Shield,” was adopted last week and here are the key takeaways.
For US companies, regardless of size, that have operations in, or who otherwise receive personal data from, EU countries, and do not have another framework in place (i.e., “binding corporate rules” or “model contract clauses”), with certain limited exceptions, the only way that they can legally receive or transfer personal data from the European Union is by complying with the Privacy Shield requirements.
Certification for the Privacy Shield begins on August 1, though some of the necessary changes can be made before then. Additionally, there is a nine-month grace period for compliance with the onward data transfer provisions to “downstream” parties for companies that certify within two months after the effective date of the Privacy Shield (failure to certify within that period means that, as part of certification, the onward transfer compliance will already need to be in place).
At a high level, in order to be able to certify for the Privacy Shield:
-
most companies will need to revise their privacy policies to include the specific requirements of the Privacy Shield;
-
likewise, most US companies will need to adjust some of their practices in order to comply;
-
if there is HR (employees, contractors, etc.) data from EU citizens, there also are additional requirements that may involve updating internal policies and procedures; and
-
companies will need to put in place specific contractual requirements for all vendors and other third parties to whom EU personal data is transferred.