When the European Court of Justice first invalidated the Safe Harbor we recommended here that, for most companies, staying the course by implementing general data security best practices was probably the right thing to do until the situation in the European Union stabilized.
As of last week, that interregnum in transatlantic data transfer law has ended. The EU and US governments finally signed the Privacy Shield as a replacement for the old Safe Harbor regime. Companies must now decide whether to adopt the Shield, pick up one of the weighty swords that are the other compliance methods, or plough ahead doing nothing new, waiting to see if Schrems and his supporters challenge the new arrangement as they did the old one.
Privacy Shield is one of four (five if you include the rarely used “ad hoc clauses” method) options for achieving compliance with the EU Privacy Directive. When compared with the other methods, Privacy Shield will, using the history of its Safe Harbor predecessor as a guide, likely prove to be the most cost-effective. Using the Binding Corporate Rules (BCRs) compliance option, for instance, requires a months-long (potentially even years-long) process. In comparison, Privacy Shield should take most companies no more than six to twelve weeks from deciding to adopt, to reaching the point of filing. Similarly, in contrast to the so-called model clauses approach, Privacy Shield is also easier to implement correctly, e.g., many companies claim to use model clauses, but few actually go deep enough in their supply chain and fewer still actually meet the Data Protection Authorities’ (DPAs) local filing requirements.