Following European Commission adoption of the Privacy Shield on July 12, 2016, and with Privacy Shield self-certification poised to open for business organizations on August 1, 2016 as a replacement for the invalidated EU-U.S. Safe Harbor mechanism, U.S. businesses are actively evaluating the commitments they will need to make to self-certify (and to annually re-certify) under the Privacy Shield in order to receive personal data from the EU. There are important considerations in evaluating self-certification under the Privacy Shield, including the financial and time costs for self-certification. For example, a Privacy Shield-compliant privacy policy statement must be effective and publicly available before certification, and other oversight and enforcement mechanisms must be in place to ensure compliance with the Privacy Shield’s privacy principles. Furthermore, U.S. organizations must have written agreements with onward recipients of personal data guaranteeing the same level of protection as they self-certify to under the Privacy Shield Principles, requiring negotiation of those separate agreements. A nine month grace period is available to organizations that self-certify within the first two months of the Privacy Shield effective date, a powerful incentive for organizations with a substantial number of pre-existing third party commercial relationships to self-certify early.
Please see full publication below for more information.