On October 6, 2015, the European Court of Justice declared invalid the Safe Harbor program governing the transfer of personal data for commercial purposes between the European Union and the United States. See our former Global Matters articles on the subject: Evolving Law: The Status Of Data Transfer From The EU; New Framework For Transatlantic Data Flows; Data Flow From The EU: Is It Dead? Effective August 1, 2016, the EU-U.S. Privacy Shield program (Privacy Shield), became the new framework for such transatlantic exchanges. This new code of conduct is not a treaty or a law, but a voluntary self-certification and commitment to certain protections necessary for the transfer of EU personal data to the U.S.; the commitment is enforceable under U.S. law. Compared to Safe Harbor, Privacy Shield places more stringent requirements and responsibilities on how U.S. organizations collect, manage, and store the data of EU citizens.
The U.S. Department of Commerce has begun accepting applications for Privacy Shield and the certification must be renewed annually. Not all organizations are eligible to participate in Privacy Shield’s self-certification. Privacy Shield presents several points of potential liability even for compliant organizations. Further, although Privacy Shield certification is voluntary, any U.S. organization that processes the personal data of EU individuals is subject to the EU’s privacy and data protection laws, and therefore should consider instituting guidelines and processes similar to those described in Privacy Shield. Meet with your Ally Law member firm attorney to determine whether you are eligible for Privacy Shield certification, how to self-certify, and to assure that your current policies and procedures comport with EU requirements. For more information about Ally Law member firm services in this area, contact us at firstname.lastname@example.org.
Original article by Nathaniel C. Donoghue and Scott A. Stokes of Ally Law member Rich May, P.C.