If you are a United States company that processes or maintains data from individuals living in the European Union, this matters to you. The US/EU Data Privacy Shield self-certification process goes live on August 1, 2016. There lots of good information out there already, but there is also a good bit of scrambling to put in place a framework for companies that want to enroll in this new program. Do you want the high-level overview? Of course you do. Here is what Privacy Shield compliance will probably entail:
- Select a third-party dispute mechanism to handle complaints from EU data subjects.
- Review operational implications of the Privacy Shield Principles (i.e., designate point people, review security measures, review third party contracts etc.).
- Select a compliance verification assessment method (you can self-assess or hire a third-party to do it).
- Sign up on-line.
This program replaces the Safe Harbor program that was undone by the Schrems decision, which I covered here. And, unless and until Privacy Shield is ultimately disapproved, self-certification would appear to obviate the need for continued use of the Model Clauses, which I covered here. While the Privacy Shield program is somewhat more onerous than the Safe Harbor program had been, American companies are fortunate to finally (after months of being in limbo) have clear-ish guidance on how to appropriately handle EU data. The new program is administered by the Department of Commerce, and enforced, for most companies, through the Federal Trade Commission.
And, no, this is not technically an insurance piece. Here’s one coverage note, though: the program requires express submission to FTC jurisdiction for enforcement, so make sure you’ve got regulatory coverage in place. The EU has for years been way ahead of the US in terms of regulatory oversight in this context, and the enhanced role of the FTC coupled with a desire to make this new program work (and not be ditched in favor of something new in a year) could lead to increased enforcement activity.