Search News & Insights
Privacy Shield Update
AUTHOR(S): Anne-Marie Bohan, Pat English, Robert O’Shea, John Ryan, Mark O’Sullivan
PRACTICE AREA GROUP: Technology and Innovation, International Business, Asset Management and Investment Funds, Insurance and Reinsurance
As you will be aware from previous Matheson updates in our ongoing series relating to international data transfers, the General Data Protection Regulation and privacy generally, the EU-US Privacy Shield (the “Privacy Shield”), which replaces Safe Harbour, was approved with effect from 1 August 2016.
The Privacy Shield enables the legitimate transfer of personal data to a US-based organisation. The Privacy Shield operates under a system of self-certification through which US organisations agree to abide by specified privacy principles (the “Principles”), including in relation to notice, accountability for onward transmission to a third party, and recourse, enforcement and liability, thereby endowing personal data transfers from the European Economic Area to self-certifying entities with “essential equivalence” in terms of data protection.
While an application for self-certification can be made at any time, there may be a benefit in doing so now, before 30 September this year. In general, the Principles will apply immediately upon self-certification. There is, however, a limited exception relating to the accountability for onward transfer principle in cases where an organisation already has pre-existing commercial relationships with third parties to which it transfers personal data. Provided that self-certification takes place before 30 September, the certifying organisation will be in a position to avail of an (up to) nine month transitional period with regard to its existing commercial arrangements with third parties.
Please contact Anne-Marie Bohan or your usual Matheson contact if you have any queries or require any assistance in relation to the Privacy Shield.
Further reading on Data Protection:
The European Commission formally adopted the Privacy Shield framework on 12 July 2016, read our communication on the decision here.
On 6 October 2015, the Court of Justice of the European Union issued its ruling in the case of Schrems v Data Protection Commissioner.