The European Commission recently voted to adopt EU-US Privacy Shield program, replacing the Safe Harbor framework that was invalidated by the European Court of Justice in October of 2015.
Under the new framework, companies are subject to a more strict and a comprehensive set of guidelines for protecting personal EU data.
- Adhere to seven Privacy Principles, and subsequent principles set forth by the Department of Commerce
- Submit to oversight and jurisdiction of US regulatory enforcement
- Allow EU citizens the opportunity to choose whether their data can be shared with third parties
- Ensure that third parties that receive personal EU data will also comply with Privacy Shield requirements
- Accept and respond within 45 days to privacy related complaints from EU Citizens
While this new program opens the doors for transatlantic data transfer, a couple of questions remain to be answered.
With the British exit from the EU on the horizon, it is not yet clear whether the UK will opt to participate in Privacy Shield or whether they will work toward a separate standard. Many believe that the UK will be required to participate in the Privacy Shield program as a condition for trade with the EU, or even as a condition to be allowed to leave the EU.
Withstanding Judicial Review
It is also not certain that the Privacy Shield framework can survive judicial review. The program is certain to be challenged in front of the European Court of Justice, and critics of Privacy Shield contend that the guidelines do not adequately protect EU citizen data.
What is clear is that American companies that collect, store or transmit EU data, need to embrace the Privacy Shield principles and be prepared to move forward. The Department of Commerce will begin accepting Privacy Shield program applications on August 1st, 2016.
Keeping the Data Local
US companies that operate in the UK have another option – keep the data local. US based companies that have operations and/or require hosting services in the UK can protect themselves by partnering with a US based cloud provider that has a data center footprint in the UK. By hosting with a US company, that utilizes data centers within the EU and keeping the data local, the impact of the new Privacy Shield program on US companies decreases dramatically.
Lume has successfully transitioned from the previous Safe Harbor framework and has now been certified and adheres to the new Privacy Shield program.
You can read the entire European Commission Implementing Decision here.
Leave a Comment