Why You Should Stick with Privacy Shield for Now

Now that the Schrems II decision is behind us and the EU-US Privacy Shield no longer provides a valid legal basis for data transfers from the EU to the U.S. does it still hold a place in the privacy story for US companies?

Will the US stand up an enhanced framework for this (Safe Harbor 3.0, Privacy Shield 2.0)? How long will that take? Will the EU look at it respectfully as a worthy means of transfer? For now, these are unanswerable questions. Effective July 16, 2020, companies previously relying on Privacy Shield must find another adequate transfer mechanism. For now, that includes Standard Contractual Clauses or Binding Corporate Rules. While there is no grace period for enforcement DPA’s are under resource constraints and likely to leave room for companies to evoke alternative adequacy provisions.

The 5,000+ companies that are certified under the Privacy Shield have dedicated substantial time and resources to put the proper compliance program in place to meet the privacy and security obligations spelled out in the program. Was all of that work done in vain?

No, it was not. Maintaining a solid data protection compliance program is an investment in the company’s brand, reputation, and ability to be successful. The work you did based on Privacy Shield, to significantly enhance your privacy and compliance program supporting your products, services, systems, and employees is still an important part of your privacy program maturity story.

Although Privacy Shield doesn’t satisfy the data transfer requirements, the principles of the program remain as a solid foundation of your privacy program.

• Privacy Shield demonstrates a commitment to data privacy
• Certification by Privacy Shield has commitments, obligations, and penalties
• The obligations in Privacy Shield are still binding
• Failing to follow the Privacy Shield principles or misrepresenting participation could result in FTC enforcement
• Privacy Shield aligns with GDPR principles including data minimization, retention, and data subject rights and appropriate security and data protection.
• Although the “supplementary measures” call out is still undefined it has been suggested that Privacy Shield principles might be one way to meet that standard.
• Privacy Shield 3.0 may emerge. Speculation is that the new agreement will likely require material changes of the U.S. government not the to the private sector obligations.

What should you do after Schrems II? Take our short quiz to find out.