The US Department of Commerce announced that it will begin accepting applications for Privacy Shield certifications beginning on August 1.
For US organizations collecting personal data from the EU, the past year has been an anxious one, as the European Court of Justice invalidated the EU-US Safe Harbor program in October 2015 and the terms of a far-reaching General Data Protection Regulation (GDPR) have been promulgated to replace the EU’s 1995 Data Protection Directive. Among other things, one of the major impacts of the GDPR – when it takes effect in May 2018 – is that it will apply to US businesses that sell to, make services available to or somehow target data subjects in the EU – even if those US businesses have no operations or affiliates in the EU. With the GDPR looming, the issue of cross border data transfers and the significance of the Privacy Shield program for US businesses are likely to become even more relevant.
On July 12, the European Commission and the US Department of Commerce issued the final text of the replacement for the defunct Safe Harbor program. The new program, dubbed Privacy Shield, is effective immediately but will not become truly operational until the Commerce Department starts accepting certifications on August 1, 2016. The new program is also almost certain to be subject to a challenge before the European Court of Justice, and so the long-term viability of Privacy Shield is somewhat uncertain.
The main questions for US-based organizations are: how does this final version of Privacy Shield differ from the initial version; what practical steps can companies take to prepare for certification; and should companies certify to Privacy Shield or rely on an alternative data transfer mechanism, such as standard contractual clauses?