Posted by Matt Cornelia
UPDATE (7/13/2016): E.U. and U.S. officials formally adopted Privacy Shield Tuesday, July 12. The U.S. Department of Commerce will begin accepting self-certifications on August 1. If you haven’t already, now is the time to begin the process of updating privacy policies, designating responsible individuals within your organization, and committing to compliance with the Privacy Shield principles.
If you have any questions about whether you comply or how your organization can become compliant, please contact one of Thompson & Knight’s cyber security attorneys.
E.U. member states voted in favor of the revised Privacy Shield last Friday, July 8. This vote sets the stage for formal approval by E.U. and U.S. officials, likely in the coming days.
According to a statement released by the European Commission, the “E.U.-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business.”
Commissioner Věra Jourová is scheduled to provide additional details to the European Parliament on Monday, July 11, and a joint press conference with U.S. Secretary of Commerce Penny Pritzker is scheduled for Tuesday.
Under Privacy Shield, U.S. companies may self-certify their compliance, allowing for the lawful transfer of E.U. citizens’ personal data across the Atlantic. But the new pact is “fundamentally different” from the old Safe Harbor agreement, so companies that handle or transfer E.U. citizens’ personal data outside of the E.U. should become familiar with the new requirements and begin preparing to implement them.
Privacy Shield was drafted to clarify U.S. companies’ obligations with respect to the protection of E.U. citizens’ personal data, to ensure compliance and enforcement in practice, and to provide access and redress mechanisms to individuals. Significantly, for the first time, U.S. authorities have provided written assurance that access by law enforcement and national security authorities will be subject to clear limitations, ruling out indiscriminate mass surveillance of E.U. citizens’ personal data.