After several months of negotiations following October’s Schrems v. Data Protection Authority ruling, the European Commission (EC) and the U.S. have announced a new data transfer deal, the EU-US Privacy Shield. The new deal is a replacement of the Safe Harbor agreement, which was struck down by the EC “on the grounds that U.S. mass surveillance programs were violating fundamental privacy rights of European citizens.”
According to a press release from the European Commission:
The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including increased cooperation with European Data Protection Authorities.
How Can U.S. Companies Prepare for Privacy Shield?
Though a new agreement has been reached, it will still take several more months for the EU-US Privacy Shield to go into effect for U.S. Companies. “Once details of the new scheme are released, U.S. companies, which have already self-certified under the old Safe Harbor scheme, will need to determine what additional actions, if any, they will have to take in order to comply with the new EU-US Privacy Shield.” (Lexology.com, Dorsey & Whitney LLP)
If you are a US Company waiting for the final details of the Privacy Shield, you can still prepare to ensure your company complies with new EU privacy laws. Here are a few best practices that can help you comply:
- Know exactly where your data is being stored – Companies that handle data of EU citizens should have a plan in place to prove they know exactly where that data resides. Using enterprise-grade secure solutions like Thru for data sharing and storage, that demonstrate strong information governance capabilities will better you to comply with new data privacy regulations.
- Enforce strict data security – A strong data security plan is crucial for remaining compliant. In addition to thorough security for internal hardware and data handling procedures, companies must also ensure that outsourced software and infrastructure vendors and partners also adhere to equally strict standards like encryption, access controls and certifications like ISO 27001.
- Partner with providers that can host data in the EU – One of the best ways U.S. companies can comply with EU data privacy regulations is by partnering with vendors that have data centers located in the EU. Thru has private datacenters in Europe and around the world that comply with strict data privacy rules.
(Reference: The EU Safe Harbor Agreement Is Dead, Here’s What To Do About It, Forbes Business)
Only time can predict the enactment of the new EU-US Privacy Shield. There is still the possibility of the framework being challenged by privacy activists as in the Schrems ruling, but whatever the outcome, U.S. companies must at all costs be prepared to ensure they comply with any new and existing data privacy laws of the EU.