If your company transfers the personal information of European Union citizens to the United States, you likely have kept a close eye on the evolution of EU privacy law since a European court invalidated the former EU-U.S. Safe Harbor agreement. Recently, after nine months of uncertainty, the EU and U.S. reached a new accord termed the Privacy Shield. Similar to the defunct Safe Harbor, the Privacy Shield allows companies to self-certify their compliance with the Privacy Shield’s data protection principles.
The U.S. Commerce Department will begin accepting self-certifications on August 1, 2016. Because adhering to the Privacy Shield’s principles will likely affect companies’ commercial relationships with third parties, companies that self-certify before September 30, 2016 will have a nine-month grace period for bringing existing commercial relationships into compliance. Although the grace period offers companies an incentive to promptly self-certify, companies must still take a number of steps before doing so, such as updating their privacy policies and establishing a procedure for investigating complaints. Thus, the clock is ticking for companies that want to use the grace period to bring their commercial relationships into compliance with the Privacy Shield.
The Privacy Shield provides a much-awaited mechanism for legitimizing transatlantic transfers of personal data.