On Dec. 19, 2018, the European Commission published the results of its annual review of the U.S.-EU Privacy Shield Framework. While the U.S.-EU Privacy Shield still meets the adequacy requirements of the General Data Protection Regulation (GDPR), the U.S. must take swift steps to make additional improvements to Privacy Shield, such as appointing a permanent ombudsperson.
GDPR adequacy requirement
Organizations both within and outside of the EU that process or otherwise handle the personal information of EU residents must comply with the GDPR, the most comprehensive and rigorous data privacy regulation to date. To comply, organizations must not only observe the new rights of data subjects, but also safeguard their personal data, particularly when transferring it to countries outside the EU.
According to the GDPR, transfers of personal data to another country may only take place if the European Commission has determined that the country “ensures an adequate level of protection” for that information. If not, the responsibility falls to the organization to take measures to prove acceptable safeguards are in place. The current legal standards in the U.S. do not meet the EU criteria for adequacy (in part due to the EU’s concerns about U.S. government surveillance practices), increasing the compliance effort for U.S. companies.
Certification with the U.S.-EU Privacy Shield
Organizations in the U.S. have a legal mechanism option under GDPR for transferring data from the EU, such as Binding Corporate Rules (BCRs), Standard Contract Clauses, or Privacy Shield certification. If an organization chooses to exercise the Privacy Shield option as part of its overall compliance efforts, the organization will need to accept the Privacy Shield framework and self-certify with the U.S. Department of Commerce. It should be noted that simply self-certifying does not make an organization GDPR compliant; it is only one piece of the puzzle. For this reason, commercial companies (who transfer any personal data out of the EU) should give serious consideration to certification with the U.S.-EU Privacy Shield.
The U.S.-EU Privacy Shield Framework is a self-certification program through the Department of Commerce that has become the industry standard since 2016. The certification process involves taking specific actions to adhere to notification rules and security principles. However, many of the steps required for self-certification are actions organizations should take to build a robust data privacy program.
The annual report published by the European Commission described new efforts by the Department of Commerce to oversee compliance of the framework. For example, random “spot checks” revealed of 100 companies that were reviewed, 21 had compliance issues requiring remediation efforts. Review procedures also include analysis to ensure Privacy Shield participants have correct and adequate privacy policies displayed on their websites.
Steps to take now
Commercial organizations that receive personal information from the EU should perform a GDPR assessment, remediate gaps with the regulation and perform the Privacy Shield self-certification. Baker Tilly can provide expert staff to assist with these efforts including the following key compliance steps:
- Update the privacy notice. An organization’s public privacy notice must accurately capture how the company is using personal data must include specific Privacy Shield language.
- Review security principles. Organizations must review IT security controls and ensure personal information is protected.
- Review third-party data sharing practices. When EU personal information is shared with third parties, appropriate contracts must be in place.
- Designate a point of contact. Organizations must determine who will serve as the point of contact for data privacy regulation matters, such as a data protection officer (DPO).
For more information on this topic, or to learn how Baker Tilly specialists can help you with privacy program development, regulatory compliance or assessing readiness, contact our team.