New Safe Harbor Process for Transfer of Personal Data Between US and EU

Contributed by Ryan P. Siney

If your company does business in Europe — including by selling products or services or by employing or collecting information about European residents — and transfers information or data to the US, you must comply with new EU laws and regulations regarding the protection and transfer of personal data.  As of August 1, 2016, companies can register for the Privacy Shield program, which provides a safe harbor process for complying with EU requirements for the transfer of personal data from the EU to the US.

The Privacy Shield program is approved by the European Commission as a method for complying with EU law on data protection, and companies that sign up for the Privacy Shield program are deemed to provide adequate protection for the transfer of data.  The Privacy Shield program replaces the Safe Harbor Framework, which is no longer recognized as adequate to comply with EU law.  If your company formerly complied with EU law by implementing the Safe Harbor Framework, it is important that you register for and implement the Privacy Shield program immediately.

The Privacy Shield program is jointly administered by the United States Department of Commerce and the European Commission.  By registering for the program, companies must certify that they will comply with certain privacy principals and adopt minimum protections regarding personal data, such as:

— adopting a written privacy policy containing a declaration of the company’s commitment to the Privacy Shield principles;
— providing written notice to individuals about the use of their personal information and about any data breaches;
— informing individuals about their right to access their own personal data and the company’s obligation to disclose personal information in response to lawful request by public authorities;
— providing free resolution of disputes, typically through arbitration or mediation, regarding personal data;
— limiting the transfer, access to and retention of personal data;
— entering into written contracts with any third party data processors;
— implementing reasonable measures to ensure that data is adequately protected from unauthorized access or disclosure; and
— taking reasonable steps to prevent, stop and remediate unauthorized access to or processing of data.

Although participation in the Privacy Shield program is voluntarily, a company may violate US law if it fails to follow its own policies and procedures regarding the protection and transfer of personal information.  Thus, a company must carefully plan, implement and observe its data protection policies and procedures in order to maintain compliance with US and EU law.

You can learn more and register for the Privacy Shield program at https://www.privacyshield.gov

For more information about the legal requirements for the protection or transfer of data in the United States or internationally, please contact Ryan P. Siney or (717) 234-4121 .