Following lengthy negotiations with the US government after invalidation of the Safe Harbor program by the European Court of Justice, the EU-US Privacy Shield program was approved by the European Commission in July 2016. If you have not already done so, now is the time to decide upon the best alternative solution for your business. If your company was not previously certified under the Safe Harbor Program but your US operations routinely make use of EU personal data, now would be an opportune time to ensure that your company's processing of EU personal data outside of the European Union is compliant with EU law, and the Privacy Shield may provide a solution.
Compliance is important not only from a legal perspective but also because many EU customers and supply chain participants are now requiring proof of compliance in order to do business with US companies.
Compliance obligations arise from transfers from EU affiliates within a corporate group as well as transfers from EU customers and suppliers. Transfers include remote access to EU personal data facilitated via a global information system (for example, where a US manager has access to a French employee's performance reviews via a global HR information system).
The Privacy Shield procedures and principles roughly follow the Safe Harbor model, but there are some significant changes. Nonetheless, the Privacy Shield may be the most practical (and in some cases, the only) compliance solution for US companies that collect, process and store EU personal data (as compared to the EU Standard Contractual Clauses, Binding Corporate Rules or other EU-compliant adequacy measures).
Like the Safe Harbor principles, the Privacy Shield principles contain an "onward transfer" requirement relating to the ability of Privacy Shielded companies lawfully to share EU personal data with third parties (such as outsourcing partners, service providers and agents). The new onward transfer requirements are more stringent than the Safe Harbor rules and may require Privacy Shielded companies to negotiate revised contractual arrangements with third parties to which they entrust the EU personal data of their customers or employees.
US companies have until September 30, 2016 to file their Privacy Shield applications in order to take advantage of a nine-month grace period for the negotiation or renegotiation of Privacy Shield-compliant onward transfer agreements.