European Union and United States authorities have announced the “EU-U.S. Privacy Shield,” a new transatlantic data transfer framework to replace Safe Harbor, which was invalidated by the European Court of Justice in October in Maximillian Schrems v. Data Protection Commissioner (C-362-14). Since this issue has clear implications for our pharmaceutical and medical device clients, we’ve covered it often, including here and most recently here.
The Privacy Shield is still a work in progress, so its final form is uncertain. (There are doubts that the framework will pass muster, with a Minister of the European Parliament calling it “a joke” that risks review before the European Court of Justice again.) Based on what we know at the moment, though, here’s what the Privacy Shield means for your business:
- For at least the near future, you’ll still need an alternative method for complying with restrictions around international transfers of data. The Privacy Shield hasn’t been finalized yet and there will be inevitable lead time to implementing it when it is. If you haven’t plugged this gap risk, your company is subject to enforcement action by the EU Member States Data Protection Authorities.
- Certifying to the Privacy Shield will probably be demanding and costly. Organizations that were previously certified under the Safe Harbor regime will not be automatically certified to the Privacy Shield. Your company will likely need to implement a range of new policies and procedures to achieve certification.
- The U.S. Department of Commerce will now be monitoring companies handling Europeans’ personal data and ensuring that these companies publish their commitments. This in turn means the Federal Trade Commission will be able to enforce the commitments under U.S. law – and the FTC has far greater fining powers than those currently possessed by EU Data Protection authorities.
For more information on the “EU-U.S. Privacy Shield” and what it means for your business, read our team’s recent client alert “Safe Harbor re-launched as the ‘EU-U.S. Privacy Shield’ – but doubts are already raised that it will survive a battle.”