10 Reasons to Implement the New EU-U.S. Privacy Shield

Even if you’ve implemented or are working on implementing Model Contractual Clauses (MCCs)

There are several legal, compliance, and business benefits to implementing comprehensive privacy programs to manage international data transfers versus a transactional approach to transfers using MCCs.

Here are the top 10 reasons for organizations to self-certify their adherence to the EU-U.S. Privacy Shield:

1. Speed

Unlike transfers based on MCCs, transfers based on Privacy Shield do not require prior authorization from or notification to 65% of EU data protection authorities. This can delay a project that relies on MCCs for data transfers by weeks to months.

2. Less paperwork

While organizations must stand ready to demonstrate compliance with both Privacy Shield and MCCs, transfers based on Privacy Shield do not require updates to and new signatures on contractual clauses each time a business process or data flow changes.

3. Better recourse options

Instead of limiting individuals to bringing legal claims for breach of the MCCs, Privacy Shield provides individuals with opportunities to raise concerns directly with the certified organization, with independent dispute resolution providers, and new options, such as the independent arbitration panel and ombudsperson.

4. Executive Support

Like its predecessor, Privacy Shield drives corporate sponsorship of privacy programs by requiring a corporate officer of the certifying organization to:

    • annually sign a statement verifying the company’s self-assessment of compliance if compliance verification is done in-house; and
    • sign a self-certification submission annually, subject to criminal enforcement under the U.S. False Statements Act for compliance misrepresentations, including a persistent failure to comply.

5. Sustainability

Since it requires annual compliance verification and self-certification, Privacy Shield drives ongoing organizational engagement to demonstrate compliance better than MCCs that may be sitting in organizational filing cabinets once signed.

6. Risk of existing MCC invalidation

Since the ECJ’s Schrems decision of 2015, the EU adequacy decisions regarding certain MCCs have been called into question. At the end of May 2016, the Irish Office of the Data Protection Commissioner applied to the Irish High Court for a referral to ECJ to determine the legal status of data transfers under the MCCs.

Privacy Shield certification mitigates the risk of data transfers based on existing MCCs being invalidated overnight like the U.S.-EU Safe Harbor.

7. APEC CBPR Readiness

The governance and privacy principles necessary to comply with Privacy Shield are similar to the requirements for APEC CBPR certification.

Organizations that operate in APEC member economies can leverage their Privacy Shield compliance to demonstrate readiness for APEC CBPR certification.

8. EU BCR Readiness

The principles necessary to comply with Privacy Shield are similar to the data protection safeguards necessary for organizations seeking EU BCR approval. Organizations interested in EU BCR approval can leverage their Privacy Shield compliance as a starting point for their binding corporate rules.

It will also require establishing additional accountability, program governance, and enforceability mechanisms.

9. EU GDPR Readiness

The principles necessary to comply with Privacy Shield are similar to many data protection safeguards necessary for GDPR compliance.

Organizations that operate or do business in the EU can leverage their Privacy Shield compliance as a starting point for the additional obligations they will have under GDPR, such as additional accountability and program governance, broader individual rights, privacy by design and default, PIAs, and breach notification.

10. Adequacy Readiness

In our policy and regulatory affairs work around the globe, we often hear “adequacy” referred to as the gold standard for privacy and data protection compliance.

Since Privacy Shield is the first of the next generation adequacy frameworks determined to provide adequacy post-Schrems, it provides organizations with the best readiness assessment currently available for future data transfer adequacy requirements. Such as transparency regarding government access, accountability for onward transfers, and broad mechanisms for individual recourse.