When the new EU-US Privacy Shield was adopted all the way back on the 12th of July, we were quoted in the media discussing the fact that formal legal challenges to it were inevitable. By the time the dust settled enough to issue our more comprehensive view here, it looked like such a challenge would be sufficiently far into the future that adoption of the new regime was probably the most cost-effective course for most companies. That view received some affirmation yesterday when the EU Data Protection Authorities’ Article 29 Working Party released a statement saying they would not seek to challenge the adequacy of Privacy Shield for at least a year.
Although its name does not exactly roll off the tongues of most Americans, the Article 29 Working Party a highly influential body in the world of EU data privacy legislation. Its members are representatives of the individual Data Protection Authorities or DPAs from each of the EU member nations. Previously, the Article 29 Working Party had been critical of the Privacy Shield so this news about refraining from a formal challenge to its adequacy is significant. In fact, many EU observers believe it may signal a new phase of flexibility in which the Article 29 Working Party will be more willing to tolerate refinement of the specific areas it feels are inadequate, rather than the scorched-earth, complete invalidation approach it supported in the case of the old Safe Harbor regime.
Here’s a recap of what you need to know about the EU-US Privacy Shield:
|What is the Privacy Shield?|
a new arrangement between the US and EU governments adopted July 2016
replaces the old Safe Harbor arrangement held invalid by the European Court of Justice in October 2015
is now one of the core methods for companies to comply with the EU Privacy Directive
|Does my company need it?|
Do you export data to the US from an EU country listed here and/or from Switzerland? If you said yes, then you have to comply with the EU Privacy Directive in some manner.
How do we get it?
Companies can apply to the US Dept. of Commerce commencing August 1, 2016
| What’s required?|
Minimally, companies will need to:
review (or create) internal policies for collecting, securing and using personal information
review and revise online privacy policies to meet specific Privacy Shield requirements
put compliant contracts/addenda in place with third-party vendors
put intracompany procedures in place with affiliates
designate an internal contact to receive privacy-related complaints
choose an approved dispute resolution mechanism
confirm compliance annually through self- or third-party assessments