EU-US Privacy Shield’s new requirements: what you need to do now

Organizations that choose to certify by Oct. 1, 2016, will benefit from a nine-month leniency period

With the recent approval of the EU-US Privacy Shield transatlantic data transfer pact, approximately 4,500 companies must contend with a new set of requirements and issues to ensure compliance.

Starting August 1, US companies may begin to submit self-certifications to the EU-US Privacy Shield framework at www.privacyshield.gov. Previously certified companies under the predecessor framework (Safe Harbor, which was invalidated in October 2015) are well-positioned to certify with Privacy Shield.

Companies affected:

US companies that move and/or store personal data, including: energy organizations, financial institutions, retail and e-commerce companies with European customer information, online advertising companies, companies that store data via cloud services on behalf of European companies (such as technology and transportation businesses), and companies that store human resources documentation on European employees. Since the US Federal Trade Commission (FTC) does not have jurisdiction over banks and telecommunications, banks and telecommunications operators are not eligible to participate in Privacy Shield.1

1Annexes to the Commission Implementing Decision re: the EU-US Privacy Shield – Annex IV, page 61

Privacy Shield overview, risks, and compliance

The new EU-US Privacy Shield pact requires companies to report cyberattacks and incidents where data has been breached.

Privacy Shield adds new fundamental and procedural requirements that may compel companies to adopt and implement new internal policies and procedures prior to certification, including:

• data retention procedures
• recordkeeping
• training

The pact also mandates that all EU-member states (including the UK for now) work closer together on network and information security, specifically to lock down critical national infrastructure.

Finally, companies should plan on additional compliance scrutiny from US regulators in enforcing Privacy Shield, even after leaving the program. In contrast to Safe Harbor provisions, once a company is certified under Privacy Shield, it must delete any information collected under it or must continue to follow Privacy Shield’s principles to safeguard it.  

Bottom line: What to do now

• Start early. The Department of Commerce has provided an incentive for US companies to certify quickly. Those that certify within two months, by October 1, 2016, will benefit from a nine-month leniency period around aligning third-party contracts with the new requirements for onward transfers.
• Understand the potential risks and gaps in moving from Safe Harbor to Privacy Shield certification and compliance. For those companies that were compliant with Safe Harbor’s principles and routinely verified compliance, many of the same requirements exist in Privacy Shield. However, there are additional specific requirements and protocols that must be satisfied. For instance, due care should be given to updating the company’s external-facing privacy policy, developing internal policies and procedures to comply with new Privacy Shield requirements, and closely managing relationships with third parties that will receive data covered under Privacy Shield provisions.  
• Conduct a compliance readiness assessment to understand the changes and new requirements to data transfer processes and oversight and how the changes will impact your current data transfer process. Companies that certify compliance with the Privacy Shield principles and fail to comply are subject to enforcement by the US Department of Transportation or Federal Trade Commission for engaging in unfair or deceptive trade practices. The program requires procedures in place for verifying compliance.
• Develop a new data transfer compliance strategy with prioritized requirements, data management procedures, and resource training.
• Closely monitor developments related to the EU-US Privacy Shield implementation, its requirements, oversight, and enforcement details as specific impacts continue to emerge.

For more information on the new Privacy Shield certification process, moving from Safe Harbor to Privacy Shield, or understanding your readiness for compliance, contact Baker Tilly’s cybersecurity and information technology risk practice.