Emerging Markets Law

New EU Privacy Shield: Uncertainty Still Abounds

Posted In Privacy

United States businesses have been on tenterhooks since October, when the European Union's (EU) highest court dismantled a privacy scheme covering trans-Atlantic data transfers. That scheme, the Safe Harbor, was a negotiated solution allowing U.S. businesses to self-certify that they met certain privacy standards, and thereby to avoid dealing with laws and regulators in every individual EU member country. With the dismantling of Safe Harbor, the EU and U.S. have been scrambling to negotiate a replacement. 

Earlier this week, the "Privacy Shield" that will replace Safe Harbor was announced. Details are not yet fully available (a draft has not been published), but we know they include periodic review of U.S. practices and promises, the appointment of a U.S. ombudsman, certain individual rights of action for EU citizens who feel their information has been mishandled, and more. As of today, EU member countries say they will hold off prosecuting U.S. companies for privacy violations for at least a few months, pending implementation of the Privacy Shield.

However, U.S. businesses still do not know what the precise legal rules are that apply to their use of data from EU persons (employees, customers, vendors). In light of the uncertainty, and until the Privacy Shield is published along with any guidance from U.S. regulators, any business with trans-Atlantic connections should use caution and should be aware of where its data resides. 

Stay Connected

Subscribe to blog updates via email

Contributors