Important news alert for those of us in the global mobility world! Yesterday, the European Commission formally approved the EU-U.S. Privacy Shield Framework. This agreement covers thorough and enforceable protections for EU citizens’ personal data. You should be aware of what this means practically for you and your company, especially if you have any EU-U.S. employee mobility.
Effective immediately, the Privacy Shield replaces the Safe Harbor agreement that was struck down by the European Court of Justice in October 2015. Since Safe Harbor was invalidated, any EU data transfer to the U.S. has involved more stringent protections and was more complicated without set guidelines. This sped up negotiations on the Privacy Shield, and on February 2, an agreement was reached. A committee of EU member and privacy regulators recommended strengthening this, which has resulted in the recently adopted agreement.
So, how was the agreement strengthened? Here are a few of the more significant changes:
- If personal data is being used for something other than its originally intended purpose, it must be deleted by companies.
- Companies that receive the data secondhand must follow the same data protection guidelines as those signed up under the framework of the agreement.
- The U.S. gave more details on how data that is collected in bulk will be used.
It is important to note that company participation in the Privacy Shield is a voluntary and self-certifying process. U.S.-based companies that participate will need to publicly commit to complying with the requirements and complete the self-certification with the Department of Commerce. Once committed, the Framework’s requirements are enforceable under U.S. law. Here is a more detailed list of key new requirements that companies should review before moving forward.
What else do you need to know about this new agreement? It is divided into these four areas:
1. Rights of EU individuals - This section outlines what steps EU citizens can take if they believe their data has been compromised.
2. Program oversight – Here, the Framework outlines how the Department of Commerce and Federal Trade Commission will help with compliance and cooperation with the EU data privacy authorities.
3. Requirements for participating companies – Some of these new requirements are outlined above; this area outlines how companies will proceed and work with all involved parties to protect personal data.
4. Limitations of U.S. government access to data – The U.S. Department of Justice and intelligence agencies provide information about the restrictions for data access by government agencies.
To give companies time to review the Framework and update their compliance programs, the Department of Commerce will begin accepting certifications to the Privacy Shield on August 1. For more information and access to the full Framework, visit https://www.commerce.gov/privacyshield.