Monday, January 25, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights

EU-U.S. Privacy Shield: A Path Forward

by Lisa Sotto
August 5, 2016
in Uncategorized
Requirements of U.S. companies in a new era of data privacy

with co-author Christopher Hydak

The European Commission formally adopted the EU-U.S. Privacy Shield in July 2016 after more than two years of negotiation with U.S. regulators.  On August 1, 2016, the Department of Commerce began accepting certification applications from U.S. companies that have agreed to comply with the Shield’s seven principles.  Similar to its predecessor regime known as the Safe Harbor, which was invalidated by the European Court of Justice in October 2015, the Privacy Shield is a data transfer mechanism that allows companies in the U.S. to receive personal data from the European Union in compliance with EU cross-border data transfer restrictions.

After the Safe Harbor was invalidated and before the Privacy Shield was unveiled, companies in the U.S. that previously had relied on the Safe Harbor for their trans-Atlantic data flows had little choice but to implement alternative mechanisms for transferring personal data from the EU to the U.S. The two primary alternative data transfer mechanisms, known as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), each have a number of drawbacks, as discussed below.  In addition to these transfer mechanisms, there are several exceptions to the EU transfer restrictions that permit transfers of personal data from the EU to the U.S., such as transfers that are made pursuant to data subject consent and those that are necessary to serve the legitimate interests of the exporting company or the data recipient.  But these exceptions are not intended to allow the systematic and continuous transfers of data required by today’s businesses, and many European data protection authorities view these exceptions skeptically and interpret them narrowly.  Now that the Privacy Shield has been formally adopted, many U.S. companies are left wondering whether to certify to the Privacy Shield or stick with the alternate data transfer frameworks they put in place before the Privacy Shield was rolled out.

Benefits of the Privacy Shield

A number of the most onerous aspects of SCCs and BCRs are not repeated in the Privacy Shield framework.  SCCs, for example, present both procedural and substantive complexities.  From a procedural perspective, in several EU Member States, companies must obtain regulatory approval to use SCCs as a legitimate data transfer mechanism.  In other Member States, although regulatory approval is not required, SCCs nevertheless must be submitted to the relevant EU Member States’ data protection authorities.  In addition, SCCs are inflexible – the provisions of the European Commission-approved clauses may not be altered in any way.  If the provisions are changed, the contract is no longer considered a valid mechanism by which to legally transfer data outside of the EU.  From a substantive perspective, SCCs fare no better.  For example, SCCs require data importers outside of the EU to allow the relevant EU data exporters to audit the importers’ data processing facilities.  This is a difficult ask for large U.S. service providers such as cloud storage providers that have thousands of clients.  BCRs, while a highly effective mechanism for data transfers once implemented, typically take more than a year to put into place and require the expenditure of significant monetary and human resources.  As a result, fewer than 100 companies worldwide have implemented BCRs as their data transfer mechanism.

The Privacy Shield is much more flexible than SCCs and does not require the significant investment necessary to implement BCRs.  To certify to the Privacy Shield, a business in the U.S. must agree to abide by the seven principles that comprise the Shield.  These principles, which include requirements for the certifying organization to provide EU individuals with notice about the business’s data-handling practices and choices with respect to certain uses and disclosures of personal data, resemble the corresponding EU data protection principles.  Typically, a company considering certifying to the Privacy Shield would spend several months assessing its data management processes, conducting a gap analysis and developing the internal policies and procedures necessary to comply with the Privacy Shield.  Once the underlying work has been completed and the company has certified its compliance with the Privacy Shield principles, the organization may receive personal data in the U.S. from an unlimited number of EU data exporters, including the company’s affiliated entities in the EU.  Although certifying to the Privacy Shield requires a commitment of time and resources, the investment necessary to certify (and undertake the required annual re-certification) is far less significant than that required to implement BCRs.

Risks Associated with the Privacy Shield

The biggest risk associated with the Privacy Shield, and the risk that leaves many U.S. companies hesitant to certify, is that the Privacy Shield could suffer the same fate as the Safe Harbor.  Like the Safe Harbor, the Privacy Shield is likely to undergo a legal challenge that could render the framework invalid as a legal mechanism by which to transfer personal data from the EU to the U.S. Certain EU privacy advocates have already indicated that they plan to bring a legal challenge because they believe the Privacy Shield’s protections do not sufficiently safeguard the rights and freedoms of EU data subjects.

There is also a risk that the Privacy Shield could be found to provide inadequate protection under the EU General Data Protection Regulation, which is due to come into force in May 2018.  The Privacy Shield’s existing adequacy decision is based on the current EU data protection regime under the EU Data Protection Directive, and that regime will be replaced in full in less than two years.

Although the Privacy Shield’s fate is uncertain, its odds of survival are strong.  The drafters of the Privacy Shield sought to address each issue identified by the European Court of Justice in its decision invalidating the Safe Harbor.  While not bulletproof, the Privacy Shield likely is sufficiently carefully crafted to be able to withstand a legal challenge.  Importantly, the Privacy Shield will be reviewed by EU and U.S. government representatives on an annual basis, providing an opportunity for the relevant regulators on both sides of the Atlantic to tweak the framework, remediate vulnerabilities and clarify ambiguities.

The Verdict

The Privacy Shield is likely to be a popular choice for U.S. companies to legitimize their receipt of personal data from the EU.  Several large U.S. technology companies have already signaled their intention to certify to the Privacy Shield, and many other U.S.-based organizations undoubtedly will follow suit.  For those companies that receive in the U.S. a significant amount of personal data from the EU, the Privacy Shield is an attractive choice of data transfer mechanisms.  Given the flexibility offered by the Privacy Shield and the protections it provides to EU individuals, there is reason to be optimistic about the Privacy Shield’s future.


Tags: communications management
Previous Post

Modern-Day Slavery: Monitor Supply Chain Practices to Combat Human Rights Violations

Next Post

Effective Audit Programs Consider Objectives First

Lisa Sotto

Lisa Sotto Lisa J. Sotto is a partner and chair of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP in New York. She may be reached at (212) 309-1223 or lsotto@hunton.com.

Related Posts

illustration of mafia man in silhouette with red tie

The Mafia’s Jackpot: How Criminal Organizations are Profiting from COVID-19

January 22, 2021
stick figure pointing to compliance presentation

Compliance and Professional Development

January 21, 2021
groups of straight pins connected by colorful thread

Why Networking is Vital for Job Seekers

January 21, 2021
illustration of videoconference, screen and speech bubbles

New Risks as COVID-19 Forces Rapid Technology Adoption

January 21, 2021
Next Post
The key to an effective audit program

Effective Audit Programs Consider Objectives First

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights