With the Article 29 Working Party's position on the adequacy of the EU-U.S. Privacy Shield framework agreement (Privacy Shield) decision expected this week, U.S. businesses should be evaluating privacy options and preparing to make significant adjustments to internal procedures. In this newsletter, we cover key considerations for businesses weighing whether to join the Privacy Shield, what to expect from last week's leak, and the impact of a possible rejected decision.
Joining the Privacy Shield is completely voluntary, and is a decision that every U.S. organization should not take lightly, especially as there are other methods of transatlantic data transfers, such as the EU Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The Privacy Shield introduces a lot of additional obligations and liability for U.S. organizations, including:
Unfortunately, failure to comply with the Privacy Shield requirements could result in sanctions or exclusion from the framework. Even if an organization determines that it no longer wants to participate in the Privacy Shield and elects to withdraw, it may remain subject to the Privacy Shield for a long time. Any U.S. organization that was part of the Privacy Shield and elects to withdraw, yet wishes to retain information collected while a part of the Privacy Shield, would be required to annually re-certify its commitment to apply the Privacy Principles to information received under the...