No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights

EU-U.S. Privacy Shield: A Path Forward

by Lisa Sotto
August 5, 2016
in Uncategorized
Requirements of U.S. companies in a new era of data privacy

with co-author Christopher Hydak

The European Commission formally adopted the EU-U.S. Privacy Shield in July 2016 after more than two years of negotiation with U.S. regulators.  On August 1, 2016, the Department of Commerce began accepting certification applications from U.S. companies that have agreed to comply with the Shield’s seven principles.  Similar to its predecessor regime known as the Safe Harbor, which was invalidated by the European Court of Justice in October 2015, the Privacy Shield is a data transfer mechanism that allows companies in the U.S. to receive personal data from the European Union in compliance with EU cross-border data transfer restrictions.

After the Safe Harbor was invalidated and before the Privacy Shield was unveiled, companies in the U.S. that previously had relied on the Safe Harbor for their trans-Atlantic data flows had little choice but to implement alternative mechanisms for transferring personal data from the EU to the U.S. The two primary alternative data transfer mechanisms, known as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), each have a number of drawbacks, as discussed below.  In addition to these transfer mechanisms, there are several exceptions to the EU transfer restrictions that permit transfers of personal data from the EU to the U.S., such as transfers that are made pursuant to data subject consent and those that are necessary to serve the legitimate interests of the exporting company or the data recipient.  But these exceptions are not intended to allow the systematic and continuous transfers of data required by today’s businesses, and many European data protection authorities view these exceptions skeptically and interpret them narrowly.  Now that the Privacy Shield has been formally adopted, many U.S. companies are left wondering whether to certify to the Privacy Shield or stick with the alternate data transfer frameworks they put in place before the Privacy Shield was rolled out.

Benefits of the Privacy Shield

A number of the most onerous aspects of SCCs and BCRs are not repeated in the Privacy Shield framework.  SCCs, for example, present both procedural and substantive complexities.  From a procedural perspective, in several EU Member States, companies must obtain regulatory approval to use SCCs as a legitimate data transfer mechanism.  In other Member States, although regulatory approval is not required, SCCs nevertheless must be submitted to the relevant EU Member States’ data protection authorities.  In addition, SCCs are inflexible – the provisions of the European Commission-approved clauses may not be altered in any way.  If the provisions are changed, the contract is no longer considered a valid mechanism by which to legally transfer data outside of the EU.  From a substantive perspective, SCCs fare no better.  For example, SCCs require data importers outside of the EU to allow the relevant EU data exporters to audit the importers’ data processing facilities.  This is a difficult ask for large U.S. service providers such as cloud storage providers that have thousands of clients.  BCRs, while a highly effective mechanism for data transfers once implemented, typically take more than a year to put into place and require the expenditure of significant monetary and human resources.  As a result, fewer than 100 companies worldwide have implemented BCRs as their data transfer mechanism.

The Privacy Shield is much more flexible than SCCs and does not require the significant investment necessary to implement BCRs.  To certify to the Privacy Shield, a business in the U.S. must agree to abide by the seven principles that comprise the Shield.  These principles, which include requirements for the certifying organization to provide EU individuals with notice about the business’s data-handling practices and choices with respect to certain uses and disclosures of personal data, resemble the corresponding EU data protection principles.  Typically, a company considering certifying to the Privacy Shield would spend several months assessing its data management processes, conducting a gap analysis and developing the internal policies and procedures necessary to comply with the Privacy Shield.  Once the underlying work has been completed and the company has certified its compliance with the Privacy Shield principles, the organization may receive personal data in the U.S. from an unlimited number of EU data exporters, including the company’s affiliated entities in the EU.  Although certifying to the Privacy Shield requires a commitment of time and resources, the investment necessary to certify (and undertake the required annual re-certification) is far less significant than that required to implement BCRs.

Risks Associated with the Privacy Shield

The biggest risk associated with the Privacy Shield, and the risk that leaves many U.S. companies hesitant to certify, is that the Privacy Shield could suffer the same fate as the Safe Harbor.  Like the Safe Harbor, the Privacy Shield is likely to undergo a legal challenge that could render the framework invalid as a legal mechanism by which to transfer personal data from the EU to the U.S. Certain EU privacy advocates have already indicated that they plan to bring a legal challenge because they believe the Privacy Shield’s protections do not sufficiently safeguard the rights and freedoms of EU data subjects.

There is also a risk that the Privacy Shield could be found to provide inadequate protection under the EU General Data Protection Regulation, which is due to come into force in May 2018.  The Privacy Shield’s existing adequacy decision is based on the current EU data protection regime under the EU Data Protection Directive, and that regime will be replaced in full in less than two years.

Although the Privacy Shield’s fate is uncertain, its odds of survival are strong.  The drafters of the Privacy Shield sought to address each issue identified by the European Court of Justice in its decision invalidating the Safe Harbor.  While not bulletproof, the Privacy Shield likely is sufficiently carefully crafted to be able to withstand a legal challenge.  Importantly, the Privacy Shield will be reviewed by EU and U.S. government representatives on an annual basis, providing an opportunity for the relevant regulators on both sides of the Atlantic to tweak the framework, remediate vulnerabilities and clarify ambiguities.

The Verdict

The Privacy Shield is likely to be a popular choice for U.S. companies to legitimize their receipt of personal data from the EU.  Several large U.S. technology companies have already signaled their intention to certify to the Privacy Shield, and many other U.S.-based organizations undoubtedly will follow suit.  For those companies that receive in the U.S. a significant amount of personal data from the EU, the Privacy Shield is an attractive choice of data transfer mechanisms.  Given the flexibility offered by the Privacy Shield and the protections it provides to EU individuals, there is reason to be optimistic about the Privacy Shield’s future.


Tags: Communications Management
Previous Post

Modern-Day Slavery: Monitor Supply Chain Practices to Combat Human Rights Violations

Next Post

Effective Audit Programs Consider Objectives First

Lisa Sotto

Lisa Sotto

Lisa Sotto Lisa J. Sotto is a partner and chair of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP in New York. She may be reached at (212) 309-1223 or lsotto@hunton.com.

Related Posts

stack of newspapers on laptop

The Social Construction of a Scandal

by Michael Toebe
December 9, 2019

Do corporate execs and legal counsel truly understand the role news media plays in establishing the narrative about fault and...

woman holding smartphone with many "like" and "heart" reactions

Engaging Social Media is More Effective Risk Management

by Michael Toebe
October 25, 2019

Social media communication is a rarely implemented risk management tool, but it should get more play. Michael Toebe makes the...

black and white illustration of shark jumping out of water

The Shark in the Wave: Revealing the Lurking Danger of Slack Data

by James Murphy
June 17, 2019

Hanzo’s Jim Murphy explores the danger of Slack data; voluminous, informal, unstructured and context-dependent, it’s a threat hiding in plain...

hand holding whatsapp icon on pink background

The FCPA Compliance Challenges in Using WhatsApp and How Companies Can Address Them

by Matteson Ellis
May 13, 2019

Matteson Ellis describes what a compliance policy for ephemeral communications should look like – a concern for Latin American countries...

Next Post
The key to an effective audit program

Effective Audit Programs Consider Objectives First

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT