Wednesday, July 27, 2016

Privacy Shield: A New Tool for Transferring Personal Data From EU

In an earlier blog post, I wrote about a very public bet I made with Bill McGeveran, a University of Minnesota law professor. As detailed, in front of over 150 lawyers I bet that there was no way that the European Court of Justice would ever invalidate the EU-US safe harbor, relied upon by over 4000 American businesses to transfer personal data from the EU to the US. 

This popular program, which had been in existence for over 15 years, allowed businesses to self-certify compliance with the US Department of Commerce regarding certain privacy policies and procedures. Professor McGeveran bet the European Court would invalidate this popular program. On October 6, 2015 the European Court of Justice invalidated the EU-US safe harbor framework.  Bill and I enjoyed a nice lunch at Mission American Kitchen. I paid.

Since losing my bet, businesses who had relied upon the safe harbor have been in limbo or scrambling for new ways to comply with the EU Data Directive. Government officials continued to negotiate for a replacement program but encountered significant opposition within the EU.  It was not clear if we would ever get a replacement.

Hello Privacy Shield! We have a replacement for the EU-US Safe Harbor!

Finally, on July 12, 2016 following extensive negotiations, including scathing public criticism by EU privacy officials, US and EU officials announced adoption of the EU-US Privacy Shield as a replacement for the Safe Harbor framework. While the Privacy Shield may encounter legal challenges from those same forces in the EU who opposed the safe harbor framework, this new mechanism for privacy compliance will likely become a popular choice and option for US businesses. Let’s just hope it lasts.

To appease EU concerns regarding government surveillance (thank you Edward Snowden and Max Schrems) the new Privacy Shield includes a federal ombudsman to oversee intelligence access to EU citizen data, a multi-step complaint process for EU citizens, and additional enforcement and remedies for non-compliance. Similar to the safe harbor program, a business will be required to self certify to certain privacy policies and procedures.

US companies can start submitting self-certifications to the Department of Commerce on August 1st.

What steps should you take now if you’re interested in Privacy Shield protection?

  • Confirm your eligibility to participate
  • Develop a Privacy Shield compliant privacy notice
  • Identify an independent dispute resolution provider prior to self-certifying
  • Ensure that your business has an effective process to verify and maintain compliance
  • Designate an individual as contact for Privacy Shield matters

Additional materials, details, and guidance on Privacy Shield compliance are available at the US Department of Commerce web site.

Even though this blog is for entrepreneurs, if you are a lawyer who is reading it, you may also be interested in an upcoming Minnesota CLE. On August 4, I will chair a course with the scintillating title Updating Your Global Privacy Compliance Toolkit. The new Privacy Shield will be a key topic for discussion.

No comments :

Post a Comment