As of August 1, the US-EU Privacy Shield is up and running. Companies transferring personal data (e.g., employee data, customer data, etc.) from the EU to the U.S. can now register with the U.S. Department of Commerce provided that they meet the requisite protection criteria. Registration under the Privacy Shield certifies that the transfer of the personal data does not run afoul of the EU rules which generally prohibit the transfer of such personal data to the U.S.

As you will recall, the Privacy Shield replaces the EU-US Safe Harbor which was declared invalid by the European Court of Justice (ECJ). One reason identified by the ECJ was the inadequate remedies available to EU citizens against U.S. companies. One important aspect of the Privacy Shield is the expanded remedies given to data subjects. The Privacy Shield has a formal dispute procedure EU citizens can trigger.

In an effort to stimulate greater compliance through private enforcement, the European Commission just issued a guide for consumers to inform them of their rights and how they can initiate complaints against U.S. businesses. It will not take long before the cases start to filter through the system.

U.S. companies should determine whether they transfer data from the EU to the U.S., what exception they rely on to legally transfer such data and whether the Privacy Shield is appropriate for them.