Posted by Sequel on April 7, 2017
Topic: blogs
Tags: binding corporate rules, EU Commission, EU data law, model contracts, privacy shield, U.S. Department of Commerce, Věra Jourová, Wilbur Ross
Ignoring EU Data Law Is Still Not an Option

U.S companies hoping to avoid compliance with the requirements of EU law may want to think twice. It’s really time to get on with it. Despite early rhetoric from the Trump Administration, discussions between the U.S. Department of Commerce and the EU Commission last week indicate that the best course for businesses involving data about EU citizens is to take the steps necessary to comply. U.S. officials sent a clear message that they stand behind the commitments of their predecessors to promote compliance by U.S. businesses, at least with respect to the Privacy Shield. This likely reflects a broader U.S. government position that is pro-compliance.

EU Justice Commissioner Věra Jourová was in Washington last week, meeting with U.S. officials about Privacy Shield. In her conversations with U.S. Secretary of Commerce Wilbur Ross, she received assurances that he understood the importance of the U.S.-EU Privacy Shield agreement and the commitments the U.S. had made to administer it. Jourová said she had “positive feelings” about the future of the Privacy Shield after speaking with Ross, the U.S. Chamber of Commerce, and various businesses. Jourová said she felt Privacy Shield was fulfilling its purpose, and that going forward privacy would be given due attention in the United States even as government pursues its national security obligations with renewed purpose.

The EU-U.S. Privacy Shield was designed to provide a mechanism for companies on both sides of the Atlantic to comply with data protection requirements when transferring personal data from the European Union to the United States. On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law. That agreement marked the conclusion of more than two years of discussions about whether existing data transfer mechanisms effectively protected European citizens.

To join the Privacy Shield Framework, a U.S.-based organization must self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to fulfill the Framework’s requirements, the commitment if enforceable under U.S. law.

Privacy Shield is only one of several mechanisms that provide support for legal transfer of data from the EU and U.S. While some companies find it useful, others continue to rely on Binding Corporate Rules and model contracts. In any case, this signal from the Commerce Department that it will continue to support the Privacy Shield indicates an awareness of the importance to businesses on both side of the Atlantic of keeping data flowing smoothly and in compliance with the law.

Comments are closed.