A Business Case for EU-US Privacy Shield Certification:
Updated: Sep 26, 2018
When Headcount Spans Both Sides of the Transatlantic
Does your company conduct transatlantic business between the United States and any of the 28 EU member states? If so, the legal restrictions prohibiting the transatlantic exchange of personal data from the EU to the US can be especially cumbersome. Stemming from today’s EU Data Protection Directive (95/46/EC), and soon to be enhanced by GDPR, personal or sensitive data about EU citizens cannot be transmitted, stored, or processed in the United States without approved additional safeguards. The EU Court of Justice insists that safeguards must be ensured to provide “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union” ( Court of Justice of the European Union , 2015).
One way to satisfy the safeguards required by the European Commission is to self-certify with the EU-US Privacy Shield programme, an arrangement negotiated between the US Department of Commerce and the European Commission. This arrangement “imposes stronger obligations on US companies to protect Europeans’ personal data” (European Commission, 2016). The new framework “reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbor framework invalid” (Ibid.).
What are the Benefits of EU-US Privacy Shield Compared to Other Approaches?
Having overseen this programme for several companies this year, I can attest to many benefits this programme fosters. First, the speed to implement is streamlined, especially compared to model contract clauses (MCCs) which require prior authorization from EU data protection authorities. Second, there is less paperwork involved; the EU-US Privacy Shield does not require updates and new signatures on contractual clauses each time a business process or data flow changes. Third, the Privacy Shield drives corporate sponsorship from the top down by requiring corporate officers to annually attest to compliant practices. Fourth, the principles necessary to comply with the EU-US Privacy Shield are consistent with the safeguards required by GDPR compliance, making this an excellent starting point for additional obligations forthcoming from GDPR such as governance, broader individual rights, privacy by design and default, and breach notification.
What Commitments Must a US Company Make?
Whilst the decision by an organization to enter the Privacy Shield is entirely voluntary, effective compliance is compulsory once implemented: US organizations that self-certify with the US Department of Commerce publicly declare their commitment to adhere to the principles. To enter the Privacy Shield programme, an organization must:
be subject to the investigatory and enforcement powers of the Federal Trade Commission, the Department of Transportation or another statutory body that will effectively ensure compliance with the principles;
publicly declare its commitment to comply with the principles;
publicly disclose its privacy policies in line with these principles; and
fully implement the principles.
The Privacy Shield principles extend beyond what was required by Safe Harbor, aligning closely with the heightened requirements of the GDPR. Thus, organizations that certified to Safe Harbor may need to update policies to meet the detailed obligations set out in the Privacy Shield principles. A total of 23 principles establish a set of requirements governing participating organizations’ use and treatment of personal data received from the EU under the framework, including access and recourse mechanisms that participants must provide to individuals in the EU. Once an organization publicly commits to comply with the Privacy Shield principles, that commitment is enforceable under U.S. law.
How to Get Started
Does your organization transmit, receive, store or process personal or sensitive data of EU subjects with the US? European law only permits personal data to be transferred out of the European Economic Area (“EEA”) to a third country that provides an “adequate” level of personal data protection; the US is not one of those countries without an adequate mechanism. Visit www.privacyshield.gov for more information to determine
if the EU-US Privacy Shield framework is right for you, or contact me, and I can help answer questions or streamline the process for your organization.
About the Author
Anya Krupina is an information security and regulatory compliance advisor at ALLENDEVAUX & Company, specialising in data privacy, compliance frameworks and risk assurance practices. She holds a JD of Law from the University of Law, UK, and is a lead implementer and auditor for ISO 27001. She may be contacted at firstname.lastname@example.org.
Court of Justice of the European Union . (2015, October 6). The Court of Justice declares that the Commission’s US Safe Harbour Decision is Invalid: Judgment in Case C-362/14 . curia.europa.eu. Retrieved from http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf
European Commission. (2016, July). EU-US Privacy Shield Fact Sheet. Justice and Consumers. Retrieved February 9, 2017, from http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_eu-us_privacy_shield_en.pdf