A New Era of EU-US Data Protection: The Privacy Shield
[Originally posted on ACC Docket]
European and US regulators hammered out a data protection framework to smooth digital business across the Atlantic.
The news of the Privacy Shield may not have stolen headlines in popular media, but it’s welcomed news that US and European regulators have approved a data protection framework that aligns the two trade giants on data and consumer privacy.
Last week, officials on both sides of the Atlantic announced the joint approval of the EU-US Privacy Shield Framework. The framework gives companies in the United States a defined mechanism to comply with Europe’s comparatively stringent privacy and data-protection laws which, in turn, provides more certainty to EU-US counterparts for commercial requirements and negotiations. The previous framework, commonly referred to as the EU-US Safe Harbor, was tossed out last October by the European Court of Justice after Edward Snowden’s NSA leaks tipped the first domino leading to increased scrutiny of US data protection practices and policies and an eventual lawsuit involving tech giant Facebook.
The Privacy Shield is now being reviewed and considered by thousands of American companies — not just tech industry leaders known for hosting masses of data. The US Chamber of Commerce has estimated that more than 4,400 American firms host, process, and analyze Europeans’ data in some, way, shape, or form. This transatlantic digital commerce accounts for more than $6 trillion in trade, and supports more than 15 million jobs on both continents. As US Commerce Secretary Penny Pritzker, said in her announcement, “For businesses, the free flow of data makes it possible for a startup in Silicon Valley to hire programmers in the Czech Republic, or a manufacturer in Germany to collaborate with a research lab in Tennessee. For consumers, the free flow of data means that you can take advantage of the latest, most innovative digital products and services, no matter where they originate.” Since businesses are operating this way, it’s critical to have a framework like the Privacy Shield in place.
What do US companies need to do to comply? That’s a question that can’t be summarily provided in one blog post. Privacy officers, lawyers, barristers, and others are actively reviewing as they look toward August 1, 2016, as the date certifications will begin to be accepted. Essentially, the first step is to self-certify with the US Department of Commerce. There are several key components required for verification through various steps: informing individuals about data processing, providing dispute resolution, cooperating with the US Department of Commerce and submitting to certain process, maintaining data integrity and limited use purposes, oversight and control of subcontractors, and submitting to matters publicly.
* To learn more about this certification process, the US Department of Commerce has created a guide on beginning the process