Goodbye Safe Harbor, Hello Privacy Shield

KI-0616By Kevin Iwamoto, Senior Consultant

Last fall, the European Court of Justice made a ruling that affected thousands of companies that rely on moving information between Europe and the United States. The case was Schrems v. Data Protection Authority, in which an Austrian privacy activist challenged the legality of Facebook’s handling of his personal information under European privacy laws. The lawsuit resulted in the European court invalidating the U.S.-EU Safe Harbor agreement, which had been in place for 15 years and had been the go-to regulation on how U.S. companies handled their European customers’ personal information. More than 5,000 U.S. companies were affected by the nullification of Safe Harbor, as the EU forbids the transfer of personal data outside its borders unless the certain safeguards are in place. For planners, that means data as basic as a credit card number to pay for registration.

On July 12 of this year, the European Commission approved the new Privacy Shield Framework program, administered by the International Trade Administration within the U.S. Department of Commerce, and which is said to alleviate the problems with Safe Harbor.

As with Safe Harbor, U.S.-based organizations will be required to apply to the Department of Commerce and self-certify their data-protection capabilities as well as publicly commit to comply with the Framework’s requirements. Joining the Framework is voluntary, but once an eligible organization makes the public commitment to comply with its requirements, that commitment will become enforceable under U.S. law. The DOC’s website contains a useful section on frequently asked questions and provides the appropriate links and pages that companies will need to in order to move forward with the self-certification.

The Framework’s so-called Privacy Principles apply immediately upon certification. In recognition that these principles will impact existing and future commercial relationships with third parties, the Framework allows organizations that submit their self-certification to the Department of Commerce within the first two months (between Aug. 1 and Sept. 30, 2016) up to nine months from the date upon which they certify to bring existing commercial relationships with third parties into conformity.

There is a fee to join the U.S.-EU Privacy Shield Framework based on the applying organization’s annual revenue:

  • $0 to $5 million: $250
  • Over $5 million to $25 million: $650
  • Over $25 million to $500 million: $1,000
  • Over $500 million to $5 billion: $2,500
  • Over $5 billion: $3,250

If you do business across the Atlantic in the U.K. and/or continental Europe and have access to and handle consumer information, you should register your company sooner than later so your business won’t be disrupted by a lack of data-privacy requirements that are very comprehensive — and taken very seriously by our transatlantic neighbors.

This article originally appeared in Meetings & Conventions Magazine on August 15, 2016. For more information, click here.

Back to all news