When the new EU-US Privacy Shield was adopted all the way back on the 12th of July, we were quoted in the media (here) discussing the fact that formal legal challenges to it were inevitable. By the time the dust settled enough to issue our more comprehensive view here, it looked like such a challenge would be sufficiently far into the future that adoption of the new regime was probably the most cost-effective course for most companies. That view received some affirmation yesterday when the EU Data Protection Authorities’ Article 29 Working Party released a statement saying they would not seek to challenge the adequacy of Privacy Shield for at least a year.

Although its name does not exactly roll off the tongues of most Americans, the Article 29 Working Party a highly influential body in the world of EU data privacy legislation. Its members are representatives of the individual Data Protection Authorities or DPAs from each of the EU member nations. Previously, the Article 29 Working Party had been critical of the Privacy Shield so this news about refraining from a formal challenge to its adequacy is significant. In fact, many EU observers believe it may signal a new phase of flexibility in which the Article 29 Working Party will be more willing to tolerate refinement of the specific areas it feels are inadequate, rather than the scorched-earth, complete invalidation approach it supported in the case of the old Safe Harbor regime.

Here’s a recap of what you need to know about the EU-US Privacy Shield:

What is the Privacy Shield?

  • a new arrangement between the US and EU governments adopted July 2016

  • replaces the old Safe Harbor arrangement held invalid by the European Court of Justice in October 2015

  • is now one of the core methods for companies to comply with the EU Privacy Directive

Does my company need it?

Do you export data to the US from an EU country listed here and/or from Switzerland? If you said yes, then you have to comply with the EU Privacy Directive in some manner.

How do we get it?

Companies can apply to the US Dept. of Commerce commencing August 1, 2016

What’s required?

Minimally, companies will need to:

  • review (or create) internal policies for collecting, securing and using personal information
  • review and revise online privacy policies to meet specific Privacy Shield requirements
  • put compliant contracts/addenda in place with third-party vendors
  • put intracompany procedures in place with affiliates
  • designate an internal contact to receive privacy-related complaints
  • choose an approved dispute resolution mechanism
  • confirm compliance annually through self- or third-party assessments