Across the pond: the EU-US Privacy Shield

In the last 12 months, businesses on both sides of the Atlantic have faced significant uncertainty regarding the rules for transfers of personal data to countries outside the European Union.

Many companies, particularly in the technology and financial services sectors, simply cannot function without the free flow of data, including personal data, across borders.

EU data protection laws restrict the transfer of personal data to countries without an ‘adequate’ level of protection for the processing of personal data.

Before October 2015, the US-EU Safe Harbor scheme provided a mechanism for companies to transfer data from the EU to the United States. This scheme was invalidated by a landmark decision of the Court of Justice of the European Union, which held there were inadequate levels of protection under US law for personal data transferred from the EU.

>See also: How the EU-US Privacy Shield can benefit, not hinder, your business

This invalidation caught many businesses off-guard, but the national security concerns which contributed to the court decision were entirely out of the control of these businesses.

Rather, these issues required cooperation among international governments and, following intense negotiations for a replacement, the Privacy Shield was adopted on 12 July 2016.

In the short-term, US companies applying for certification under the Privacy Shield are likely to face increased administrative and compliance burdens as they scrutinise their internal housekeeping and make necessary revisions to external and internal privacy policies and practices.

For example, one of the key principles of the Privacy Shield – the ‘notice’ principle – requires that individuals be provided information about an organisation’s participation in the scheme, the types of personal data being collected, the purposes for which the data will be processed and with whom the personal data will be shared.

For most companies, these requirements will mean updated privacy policies in dealings with customers and employees. Another key principle – the ‘choice’ principle – requires companies to offer individuals the opportunity to choose whether their personal data will be disclosed to a third party or used for a purpose that is different from the purpose for which such personal data was originally collected or subsequently authorised.

Companies must respect individual choices and implement technical mechanisms so that data subjects may be informed, and be given the opportunity to opt out, of uses of their personal data.

In addition, contracts with third party data processors will need to be reviewed to ensure that personal data will only be processed in a manner consistent with the basis on which the data was collected in the first place and with the level of protection required by the Privacy Shield.

>See also: Why the EU/US data sharing deal won’t stop surveillance

In particular, the ‘onward transfer’ principle requires that any transfers to third party controllers or processors based in the US or in other countries are made pursuant to contracts which ensure the same level of protection as those provided by the Privacy Shield.

This means companies must undertake due diligence and, if needed, re-negotiate agreements with third party suppliers.

This may not be a quick or easy process, particularly where those third parties are based in jurisdictions with minimal data protection laws, but it is a necessary one.

Although the Privacy Shield has stronger enforcement mechanisms and a requirement to re-certify annually, companies previously registered under the Safe Harbor scheme should already be complying with many of these requirements.

But there are requirements that go beyond the Safe Harbor scheme, such as enhanced redress mechanisms for individuals and strict deadlines that US companies must follow in responding to complaints from EU data subjects.

Further, where US companies import human resources data from the EU (which many US parents of EU subsidiaries do as a matter of course) the importing company must comply with decisions of European data protection regulators.

There is no doubt that registration under the Privacy Shield imposes significant, and some new, burdens.

However, these hurdles are already being faced by companies implementing other safeguards, such as data transfer agreements incorporating the EU ‘model clauses.’

Generally viewed as cumbersome, model clauses also have the disadvantage of being subject to legal challenge and uncertainty.

For many data-reliant organisations, particularly financial services and technology companies operating across the Atlantic, investing time and resources in Privacy Shield certification is simply an unavoidable cost of doing business in a global marketplace.  

Sourced by Huw Beverley-Smith, Partner, Kathleen Rice, Counsel, and Leita Walker, Partner specialising in data privacy, at Faegre Baker Daniels

Avatar photo

Nick Ismail

Nick Ismail is the editor for Information Age. He has a particular interest in smart technologies, AI and cyber security.

Related Topics