Last month saw an agreement reached between the US department of commerce and the European commission, to update the terms of the previous Safe Harbor agreement. You can read about that more in our previous blog post here; EU – US Agreement reached in Safe Harbor Negotiations.
The new privacy shield has yet to be signed into law, it must first get a vote of confidence from EU member states.
However in the meantime compliance professionals can adequately prepare, as a preliminary draft, or guideline to the principles companies will have to abide by under the new privacy shield was made public on the 29th Feb. This was the first chance US companies got to read, in detail, the principals laid out in the privacy shield.
What has become clear to US companies and compliance professionals who have read the draft, is that the governance and regulation of EU transatlantic data will increase, and the burden placed on companies to comply with these changes will intensify.
Third Party Responsibility
One of the bigger changes laid out in the draft, is stricter control and regulation imposed on data passing through third party data processors. In these instances contracts must be signed by both parties, which agree that the data may only be processed for limited and specified purposes consistent with individual consent. This ‘individual consent’ will likely be an area of contempt(word) for US companies, as under the new Privacy Shield, companies must provide Individuals with the choice to “opt-out” when their personal data is shared with third parties. Time will tell the extent to which European citizens can flex this right of individual consent.
Effect on Compliance
For now what has become evident from the first draft, is that the governance and regulation of EU data is set to increase, and US companies can either adopt a culture which accepts the changes, or face what will likely be strong sanctions. However for most US companies which already have a strong compliance culture, the transition from the Safe Harbor to Privacy Shield shouldn’t be problematic.
An EU member state vote on the privacy shield is likely to take place in the coming weeks, giving compliance officers adequate time to adopt a new culture around data privacy, by anticipating the changes and preparing in advance for the new Privacy Shield to be passed into law.
If you would like to prepare your compliance department in advance, the adequacy draft for the privacy shield can be viewed here.
Subscribe to our blog, for more updates regarding the EU-US Privacy Shield