EU-US Privacy Shield Framework – Does it Apply to Your Business?

Written by on August 21, 2017.

Background

In late 2015, the highest court in the European Union invalidated the Safe Harbor data-transfer framework that ruled over the transmission of personal data between the EU and U.S. for approximately 15 years. The European Court of Justice held that the U.S. government’s repeated and surreptitious access to the data of EU residents violated EU privacy rules and invalidated the agreement.

In response, the European Commission and the U.S. Government negotiated a new framework for transatlantic exchanges of personal data for commercial purposes in early 2016: the EU-U.S. Privacy Shield.

According to the regulator, the EU-U.S Privacy Shield Framework provides companies on both sides of the Atlantic with a current mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.[1]

Benefits of Certification

Although participation in the Privacy Shield is voluntary for US companies, those North American companies that handle private data transfers between the US and EU are still subject to the EU’s privacy and data protection laws. As such, it is necessary for any North American company handling this data to adopt policies and procedures that comply with the standards of the Privacy Shield so as not to attract unnecessary liability.

Further, the Privacy Shield requires compliance with more onerous standards than the model contractual clauses. Therefore, by complying strictly with the model contractual clauses, North American companies may be unwittingly exposing themselves to liability under the Privacy Shield.

Finally, self-certification by a North American company involved in handling private data transfers between the US and EU provides a sound business purpose as greater numbers of EU businesses are mandating compliance before entering into data transfer contracts with North American companies.

How to Certify

In order to register their compliance with the EU-U.S. Privacy Shield, an organization must self-certify. In order to be granted self-certification by the Department of Commerce, the company must develop a Privacy Policy that conforms to the Privacy Shield Principles like notice, choice, access, and accountability for onward transfer, while implementing processes and procedures for data retention and dispute resolution.

To be assured of Privacy Shield benefits, an organization must continue to self-certify annually with the Department of Commerce.

Andrew is an associate in Siskinds’ Franchise, Distribution, and Licensing Group. If your business needs assistance navigating the registration process or seeking self-certification, or if you have any questions about this article, please contact Andrew by email or by phone at 519.660.7848.

[1] https://www.privacyshield.gov/Program-Overview

Posted in Franchising, Publications