Background
In late 2015, the highest court in the European Union invalidated the Safe Harbor data-transfer framework that ruled over the transmission of personal data between the EU and U.S. for approximately 15 years. The European Court of Justice held that the U.S. government’s repeated and surreptitious access to the data of EU residents violated EU privacy rules and invalidated the agreement.
In response, the European Commission and the U.S. Government negotiated a new framework for transatlantic exchanges of personal data for commercial purposes in early 2016: the EU-U.S. Privacy Shield.
According to the regulator, the EU-U.S Privacy Shield Framework provides companies on both sides of the Atlantic with a current mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.[1]
Benefits of Certification
Although participation in the Privacy Shield is voluntary for US companies, those North American companies that handle private data transfers between the US and EU are still subject to the EU’s privacy and data protection laws. As such, it is necessary for any North American company handling this data to adopt policies and procedures that comply with the standards of the Privacy Shield so as not to attract unnecessary liability.
Further, the Privacy Shield requires compliance with more onerous standards than the model contractual clauses. Therefore, by complying strictly with the model contractual clauses, North American companies may be unwittingly exposing themselves to liability under the Privacy Shield.
Finally, self-certification by a North American company involved in handling private data transfers between the US and EU provides a sound business purpose as greater numbers of EU businesses are mandating compliance before entering into data transfer contracts with North American companies.
How to Certify
In order to register their compliance with the EU-U.S. Privacy Shield, an organization must self-certify. In order to be granted self-certification by the Department of Commerce, the company must develop a Privacy Policy that conforms to the Privacy Shield Principles like notice, choice, access, and accountability for onward transfer, while implementing processes and procedures for data retention and dispute resolution.
To be assured of Privacy Shield benefits, an organization must continue to self-certify annually with the Department of Commerce.
If your business needs assistance navigating the registration process or seeking self-certification, or if you have any questions about this article, please contact Siskinds’ Franchise, Distribution, and Licensing Group.