Who should be concerned?

Companies receiving, either directly or through third parties, personal data from Europe will need to comply with the new requirements.  Many companies may have already adopted Safe Harbor provisions, but these are no longer valid protections[1]. When considering whether this applies to your company, evaluate all data and information that your company currently receives, stores, accesses, or handles in any way.
Here are some questions that may help determine whether these requirements apply to you:

If you answered yes to any of these questions, you may need to comply with these new regulations.

What has changed?

The former Safe Harbor principles no longer protect U.S. companies from potential European data privacy suits. In addition, the U.S. Department of Commerce will now be monitoring and enforcing compliance by U.S. companies.  In the past, the Safe Harbor principles were voluntary and companies could choose to adopt them.

The European Union and the United States are still negotiating these more rigid provisions now being called the US-EU Privacy Shield.  Here is a preview of some of the proposed new principles:

How do I react?

If these requirements apply to your company, you need to begin assessing your current data privacy and protection policies and procedures.  The proposed rules and principles are being evaluated by the E.U. and still need to be voted on by the E.U. Commission.

Here are some areas you may need to begin to develop, review, and update to ensure they comply:

VPS is committed to supporting firms and companies with these new principles and the certification process.  Contact us today to learn how we can assess your current processes and procedures, manage any changes or updates needed, and monitor your ongoing privacy protection measures.

 

 

 

[1] European Court of Justice ruled on October 6, 2015 that the old Safe Harbor framework is invalid (See http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf)

[2] The Judicial Redress Act of 2015 passed on February 24, 2016 (see https://www.congress.gov/bill/114th-congress/house-bill/1428)

[3] As part of its certification of compliance with the Privacy Shield Principles, a company must agree that it “will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken” (See http://www.natlawreview.com/article/european-commission-releases-details-new-eu-us-privacy-shield#sthash.t6zqKykm.dpuf)

[4] See http://www.natlawreview.com/article/european-commission-releases-details-new-eu-us-privacy-shield

[5] Notice, choice, accountability of onward transfers, data security, data integrity, purpose limitation, data access, recourse, enforcement, and liability (See http://www.natlawreview.com/article/european-commission-releases-details-new-eu-us-privacy-shield#sthash.t6zqKykm.dpuf)

[6] See more specific requirements at https://www.commerce.gov/news/fact-sheets/2016/02/fact-sheet-overview-eu-us-privacy-shield-framework