Now that the European Commission has adopted the Privacy Shield (which replaces “Safe Harbour”), there are steps which US companies will need to take to ensure that they comply with data protection law when transferring data from the EU and EU companies need to take if transferring data to the US.

Since the old system, the ‘Safe Harbour’ regime, was found to be invalid by the Court of Justice of the European Union, the Privacy Shield has been approved to replace it. It requires companies based in the US to self-certify their compliance to the framework. The US Department of Commerce is now accepting certification requests.

After that point, companies will need to self-certify on an annual basis, publish a privacy policy on their websites, have a procedure for responding to complaints within 45 days and comply with the various Privacy Shield principles (which are very similar to our own under the Data Protection Act). The US Department of Commerce will monitor companies to ensure that all requirements are met.

EU companies need to ensure that any company in the US to whom they send data is appropriately signed up.