On February 29 the European Commission released its Draft Adequacy Decision and supplemental documents on the EU-U.S. Privacy Shield (“Privacy Shield”), giving businesses that transfer data from the European Union to the United States their first detailed look at the new trans-Atlantic data transfer arrangement. Like the U.S.-EU Safe Harbor Framework, the Privacy Shield will be a voluntary self-certification framework administered by the U.S. Department of Commerce, and will allow U.S.-based companies to facilitate data transfers from Europe in lieu of using model contractual clauses or Binding Corporate Rules (“BCRs”).
While the Privacy Shield offers a simplified method for importing personal data from the EU, it also imposes more rigorous – and likely more costly – oversight, redress, and enforcement obligations on participating businesses. The Privacy Shield will require companies to adhere to strong privacy protection obligations and dispute resolution requirements, and promises increased compliance scrutiny by U.S. and EU regulators.
The Privacy Shield’s implementation is still many months away. In the meantime, U.S. companies should examine the increased monitoring and privacy requirements that they will be subject to and determine whether the Privacy Shield will be a better alternative to BCRs and model contractual clauses. Please read the full advisory here.