Hilary Wandall, General Counsel & Chief Data Governance Officer at TRUSTe summarizes the top 10 reasons to implement the new EU-U.S. Privacy Shield even if you’ve implemented or have been working on implementing Model Contractual Clauses (MCCs).
At TRUSTe, we have nearly 20 years of experience working with thousands of companies to assess their privacy practices, and with many others to verify their compliance with regulatory frameworks like APEC CBPR system and the former U.S.-EU Safe Harbor. This work has taught us that there are a number of legal, compliance and business benefits to implementing comprehensive privacy programs to manage international data transfers versus a transactional approach to transfers using MCCs. Below is a list of the top 10 reasons for organizations to self-certify their adherence to the EU-U.S. Privacy Shield:
- Speed – Unlike transfers on the basis of MCCs, transfers on the basis of Privacy Shield do not require prior authorization from or notification to 65% of EU data protection authorities, which can delay a project that relies on MCCs for data transfers by weeks to months.
- Less paperwork – While organizations must stand ready to demonstrate compliance with both Privacy Shield and MCCs, transfers on the basis of Privacy Shield do not require updates to and new signatures on contractual clauses each time a business process or data flow changes.
- Better recourse options – Instead of limiting individuals to bringing legal claims for breach of the MCCs, Privacy Shield provides individuals with opportunities to raise concerns directly with the certified organization, with independent dispute resolution providers, like TRUSTe, as well as new options, such as the independent arbitration panel and ombudsperson.
- Executive Support – Like its predecessor, Privacy Shield drives corporate sponsorship of privacy programs by requiring a corporate officer of the certifying organization to:
- annually sign a statement verifying the company’s self-assessment of compliance, if compliance verification is done in house; and
- sign a self-certification submission annually, subject to criminal enforcement under the U.S. False Statements Act for compliance misrepresentations, including a persistent failure to comply.
- Sustainability – Since it requires annual compliance verification and self-certification, Privacy Shield drives ongoing organizational engagement to demonstrate compliance better than MCCs that may be sitting in organizational filing cabinets once signed.
- Risk of existing MCC invalidation – Since the ECJ’s Schrems decision of 2015, the EU adequacy decisions regarding certain MCCs have been called into question. At the end of May 2016, the Irish Office of the Data Protection Commissioner applied to the Irish High Court for a referral to ECJ to determine the legal status of data transfers under the MCCs. Privacy Shield certification mitigates the risk of data transfers based on existing MCCs being invalidated overnight like the U.S.-EU Safe Harbor.
- APEC CBPR Readiness – the governance and privacy principles necessary to comply with Privacy Shield are similar to the requirements for APEC CBPR certification. Organizations that operate in APEC member economies can leverage their Privacy Shield compliance to demonstrate readiness for APEC CBPR certification.
- EU BCR Readiness – the principles necessary to comply with Privacy Shield are similar to the data protection safeguards necessary for organizations seeking EU BCR approval. Organizations interested in EU BCR approval can leverage their Privacy Shield compliance as a starting point for their binding corporate rules, which will also require establishment of additional accountability, program governance and enforceability mechanisms.
- EU GDPR Readiness – the principles necessary to comply with Privacy Shield are similar to many of the data protection safeguards necessary for GDPR compliance. Organizations that operate or do business in the EU can leverage their Privacy Shield compliance as a starting point for the additional obligations they will have under GDPR, such as additional accountability and program governance, broader individual rights, privacy by design and default, PIAs and breach notification.
- Adequacy Readiness – in our policy and regulatory affairs work around the globe, we often hear “adequacy” referred to as the gold standard for privacy and data protection compliance. Since Privacy Shield is the first of the next generation adequacy frameworks determined to provide adequacy post-Schrems, we believe it provides organizations with the best readiness assessment currently available for future data transfer adequacy requirements, such as transparency regarding government access, accountability for onward transfers and broad mechanisms for individual recourse.
For more information about TRUSTe’s Privacy Shield solutions see here or call 1-888- 878-7830.