As you will be aware from previous Matheson updates in our ongoing series relating to international data transfers, the General Data Protection Regulation and privacy generally, the EU-US Privacy Shield (the “Privacy Shield”), which replaces Safe Harbour, was approved with effect from 1 August 2016.
The Privacy Shield enables the legitimate transfer of personal data to a US-based organisation. The Privacy Shield operates under a system of self-certification through which US organisations agree to abide by specified privacy principles (the “Principles”), including in relation to notice, accountability for onward transmission to a third party, and recourse, enforcement and liability, thereby endowing personal data transfers from the European Economic Area to self-certifying entities with “essential equivalence” in terms of data protection.
While an application for self-certification can be made at any time, there may be a benefit in doing so now, before 30 September this year. In general, the Principles will apply immediately upon self-certification. There is, however, a limited exception relating to the accountability for onward transfer principle in cases where an organisation already has pre-existing commercial relationships with third parties to which it transfers personal data. Provided that self-certification takes place before 30 September, the certifying organisation will be in a position to avail of an (up to) nine month transitional period with regard to its existing commercial arrangements with third parties.
Further reading on Data Protection:
The European Commission formally adopted the Privacy Shield framework on 12 July 2016, read our communication on the decision here.
On 6 October 2015, the Court of Justice of the European Union issued its ruling in the case of Schrems v Data Protection Commissioner.