Who should be concerned?
Companies receiving, either directly or through third parties, personal data from Europe will need to comply with the new requirements. Many companies may have already adopted Safe Harbor provisions, but these are no longer valid protections. When considering whether this applies to your company, evaluate all data and information that your company currently receives, stores, accesses, or handles in any way.
Here are some questions that may help determine whether these requirements apply to you:
- Did you previously adopt Safe Harbor rules?
- Are your services sold in or accessible to Europe?
- Are you an e-commerce company whose products and/or services could be purchased by individuals in Europe?
- Do you sell or provide services to European companies?
- Do you have employees in Europe?
If you answered yes to any of these questions, you may need to comply with these new regulations.
What has changed?
The former Safe Harbor principles no longer protect U.S. companies from potential European data privacy suits. In addition, the U.S. Department of Commerce will now be monitoring and enforcing compliance by U.S. companies. In the past, the Safe Harbor principles were voluntary and companies could choose to adopt them.
The European Union and the United States are still negotiating these more rigid provisions now being called the US-EU Privacy Shield. Here is a preview of some of the proposed new principles:
Greater Cooperation with the E.U. Data Protection Authorities
- The U.S. has given the E.U. written assurance that there are clear limits, protections, and monitoring of how personal data is accessed by U.S. agencies.
- U. natural citizens now have access to bring suits against U.S. agencies similar to U.S. citizens for privacy rights.
- S. companies must also cooperate with E.U. Data Protection Authorities
New Monitoring and Enforcement
- The U.S. Department of Commerce through the Federal Trade Commission and newly created Ombudsman will now be monitoring compliance by U.S. companies and enforcing the new principles.
- The U.S. Department of Commerce will be maintaining a list of companies that have self-certified their adherence to the Privacy Shield Principles.
- Department of Commerce will publicly “name and shame” U.S. companies that are not in compliance with the commitments under the EU-US Privacy Shield.
Mechanisms and Detailed Disclosure for Adherence
The principles are still founded in the U.S. Department of Commerce’s original Safe Harbor guidance, but companies will now be required to provide a lot more detail around the processes and safeguards they have implemented to adhere to these principles.
- Companies will have to provide a free alternative dispute resolution process and resolve complaints within 45 days.
- Companies will need to regularly follow-up and verify mechanisms to protect personal data are in place and working.
- Resolve any problems it discovers or are presented to it by the regulators.
- Your online privacy policies must include a link to the Department of Commerce’s Privacy Shield website and a link to your website or complaint submission form of the independent recourse mechanisms that are available to investigate individual complaints.
How do I react?
If these requirements apply to your company, you need to begin assessing your current data privacy and protection policies and procedures. The proposed rules and principles are being evaluated by the E.U. and still need to be voted on by the E.U. Commission.
Here are some areas you may need to begin to develop, review, and update to ensure they comply:
- Customer and vendor contracts
- Data handling policies and processes
- Dispute resolution process for complaints
- Human Resources information
VPS is committed to supporting firms and companies with these new principles and the certification process. Contact us today to learn how we can assess your current processes and procedures, manage any changes or updates needed, and monitor your ongoing privacy protection measures.
 European Court of Justice ruled on October 6, 2015 that the old Safe Harbor framework is invalid (See http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf)
 The Judicial Redress Act of 2015 passed on February 24, 2016 (see https://www.congress.gov/bill/114th-congress/house-bill/1428)
 As part of its certification of compliance with the Privacy Shield Principles, a company must agree that it “will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken” (See http://www.natlawreview.com/article/european-commission-releases-details-new-eu-us-privacy-shield#sthash.t6zqKykm.dpuf)
 See http://www.natlawreview.com/article/european-commission-releases-details-new-eu-us-privacy-shield
 Notice, choice, accountability of onward transfers, data security, data integrity, purpose limitation, data access, recourse, enforcement, and liability (See http://www.natlawreview.com/article/european-commission-releases-details-new-eu-us-privacy-shield#sthash.t6zqKykm.dpuf)
 See more specific requirements at https://www.commerce.gov/news/fact-sheets/2016/02/fact-sheet-overview-eu-us-privacy-shield-framework