September 25, 2022

Volume XII, Number 268

Advertisement

September 23, 2022

Subscribe to Latest Legal News and Analysis

September 22, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

U.S., EU Launch “Privacy Shield” Data Transfer Framework - What This Means For Your Business

Last fall, the framework for personal data exchange between the European Union and the United States that had operated for many years—the so-called “Safe Harbor”—was struck down by the European courts. A new framework, the “Privacy Shield,” was adopted last week and here are the key takeaways.

For US companies, regardless of size, that have operations in, or who otherwise receive personal data from, EU countries, and do not have another framework in place (i.e., “binding corporate rules” or “model contract clauses”), with certain limited exceptions, the only way that they can legally receive or transfer personal data from the European Union is by complying with the Privacy Shield requirements.

Certification for the Privacy Shield begins on August 1, though some of the necessary changes can be made before then. Additionally, there is a nine-month grace period for compliance with the onward data transfer provisions to “downstream” parties for companies that certify within two months after the effective date of the Privacy Shield (failure to certify within that period means that, as part of certification, the onward transfer compliance will already need to be in place).

At a high level, in order to be able to certify for the Privacy Shield:

  • most companies will need to revise their privacy policies to include the specific requirements of the Privacy Shield;

  • likewise, most US companies will need to adjust some of their practices in order to comply;

  • if there is HR (employees, contractors, etc.) data from EU citizens, there also are additional requirements that may involve updating internal policies and procedures; and

  • companies will need to put in place specific contractual requirements for all vendors and other third parties to whom EU personal data is transferred.

©2022 Katten Muchin Rosenman LLPNational Law Review, Volume VI, Number 229
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Doron Goldstein, Katten Muchin Law Firm, Intellectual Property Attorney
Partner

Doron S. Goldstein's practice primarily deals with intellectual property, information technology and advertising, marketing and branded entertainment transactions and counseling, including privacy and information security, trademark, copyright, software and technology matters, and he is co-head of Katten's Advertising, Marketing and Promotions practice and of the firm's Privacy, Data and Cybersecurity group.

Doron regularly advises on various aspects of integrated marketing campaigns, including talent and production agreements, advertising agency...

212-940-8840
Megan Hardiman, Katten Muchin Law Firm, Health Care Legl Specialist
Partner

Megan Hardiman draws on her broad regulatory background to advise clients on complex health information privacy issues, tax-exempt organization compliance issues, including maintaining tax-exempt status, IRS Form 990 reporting issues and best practices for executive compensation, state fee-splitting and corporate practice of medicine prohibitions and fraud and abuse compliance.

Megan devotes a significant portion of her practice to helping health care companies and business associates understand and meet the requirements of the Health Insurance Portability...

312-902-5488
Advertisement
Advertisement
Advertisement