EU-US Privacy Shield – Clock is ticking on US Companies to self-certify!

If you use or are a US company that relied on Safe Harbour as the safety net when transferring data as opposed to Standard Contract Clauses (SCC) or Binding Corporate Rules (BCR) then take note.

Following the scrapping of the Safe Harbor data transfer mechanism between the EU and US in October 2015 (as a consequence of Max Schrems challenging Facebook’s EU related data handling methods) there is a newly approved (12th July, 2016) protection vehicle in place – the EU-US Privacy Shield.  Safe Harbor was deemed inadequate particularly as the US Government were able to access all data supplied to US organizations.  With Privacy Shield, written assurances have been given by US government that there will be no mass surveillance and indiscriminate access of any information gathered by US organizations.    

It is a matter of time before the actual impact of the Privacy Shield can be assessed and US organisations have to self-certify by 30th September – then they have 9 months grace period to comply.  However the Privacy Shield is described as a ‘living mechanism’, to be reviewed continuously and if not adequate then suspension is possible.

Stronger measures have been put in place to protect EU citizens’ personal data:

  • Stronger monitoring and enforcement by US Department of Commerce and Federal Trade Commission;
  • Increased requirement for co-operation with European Data Protection Authorities;
  • Written commitments and assurance by US that ANY access by public authorities to personal data on national security grounds will be subject to limitations and conditions;
  • An Ombudsperson mechanism will be created to manage complaints or enquiries by EU citizens – it will act independently of US Intelligence Services;
  • Regular Reviews of participating companies to ensure compliance;
  • Sanctions for non-compliance plus removal from Privacy Shield List;
  • Tightened conditions where a US company participating in the scheme transfers data to other third parties.  The third parties involved have a duty to inform when they are no longer able to ensure an appropriate level of protection;
  • Data retention requirements have been made more explicit; and
  • Accessible and affordable dispute resolution.

By self-certifying and complying with the EU-US Privacy Shield – an organisation in the US is eligible to receive and process personal data from EU members without restriction.  The US Department of Commerce has issued some guidance on self-certifying: DOC guidance.  In summary this requires US companies to do the following:

a). Assess whether required to self-certify – do you process EU citizens personal data – then YES;

b).Create/update your Privacy Policy to ensure compliant with Privacy Shield Principles;

c).Identify an Independent Recourse Mechanism to allow complaints and investigations;

d).Demonstrate compliance with Principles; and

e).Create a designated contact for Privacy Shield matters.

In addition to the increased data protection that the EU-US Privacy Shield provides, organizations should not let down their guard and inspect all data transfers to ensure non-essential information is shared. If necessary, data security policies can easily be applied to redact, block or encrypt in real-time, based on the content and context of the data destined for transfer. Reviewing and deploying such data visibility, adaptive security and governance processes will ready your organizations for the next major data protection regulation - GDPR.

By Debbie Evans, Legal & Commercial Director, Clearswift

Additional Information:

Document Sanitization and Redaction Safety Net for the Forgetful User

Practical Confidential Data Loss Prevention for Legal Departments and Law Firms

How your Clients can Prevent workplace Cyber Bullying & eHarassment lawsuits 

Four simple questions to help defend Law Firms from cyber-attacks