Update on Privacy Shield for Relocation Managers
Privacy Shield Update: Cartus Receives Privacy Shield Approval from the U.S. Department of Commerce (August 12, 2016)
Cartus is pleased to announce that we have received our Privacy Shield approval from the U.S. Department of Commerce. Cartus filed for Privacy Shield status with the U.S. Department of Commerce on the first day we were able (August 1, 2016), and we were part of the first group of companies to be approved.
The Article 29 Working Party has elected to take a “wait and see” approach on Privacy Shield. While they are not fully endorsing the Privacy Shield methodology, they are also not challenging it in court at present.
The Background on Privacy Shield (Originally Safe Harbor)
Last fall, the European Court of Justice (ECJ) invalidated the Safe Harbor rules governing data going to/from the EU. With Safe Harbor off the table, the EU allowed such data exchanges to continue when the exchanging parties had a contract in place which contained the so-called “EU Model Clauses” to protect the rights of the European data subjects.
Cartus had held Safe Harbor certification for many years and very quickly shifted gears to invite our clients to enter into Model Clause agreements so that the data exchanges could continue without interruption and in a compliant manner.
Even as we were entering into Model Clause agreements, the EU was considering how to better fill the gap left by the ECJ decision on Safe Harbor. What was initially called Safe Harbor 2.0 came to be known as Privacy Shield. One of the biggest concerns in the EU was the US Government’s surveillance rights and their impact on the privacy of EU data subjects.
New Developments on Privacy Shield
On the evening of July 11, the U.S. Department of Commerce and representatives of the European Union announced an agreement on Privacy Shield.
This announcement was carried widely in the mass media and was the subject of a recent Worldwide ERCR email to membership.
Privacy Shield melds pieces of Safe Harbor and Model Clauses. Like Safe Harbor, the U.S. company must file certain certifications with the U.S. Department of Commerce and, as with Model Clauses, enter into contracts that obligate it to follow certain mandated processes in handling data, managing disputes, etc.
Next Steps – What to Watch For
On timing, where are we?
Cartus was very excited to be at the leading edge of migration over to the Model Clauses last fall. Similarly, we’ve kept a close eye on the evolution of Privacy Shield so we can work with our clients to get that in place as soon as possible.
According to the U.S. Department of Commerce website, it will start accepting certification submissions on August 1, 2016. However, there are several groups in Europe who do not feel that the Privacy Shield arrangement is sufficiently protective of the rights of EU data subjects and that U.S. Government data surveillance remains a problem. Several well informed commentators expect legal challenges in the EU. One group—the influential “Article 29 Working Party” (which consists of data protection officials from EU member countries) is meeting on July 25 and their feedback on the Privacy Shield structure will be critical as to whether August 1 is a real start date; will need some adjustment, or whether this will be mired in litigation for the foreseeable future.
We will continue to monitor this situation and keep you apprised of developments.