The New EU/US Privacy Shield Is Here: Are You Prepared for the New Regime?

Bloomberg Law’s combination of innovative analytics, research tools and practical guidance provides you with everything you need to be a successful litigator.

By Tera Brostoff

Oct. 25 — There is no question that the more stringent requirements of the new EU/US Data Privacy Shield and the General Data Protection Regulation will keep cross-border data transferers up at night.

For openers, the new laws regulating the transfer of personal data come with hefty penalties and shortened notification time frames. And at least one noted jurist has suggested that challenges to the new regulatory regime may keep it in a state of flux for the foreseeable future.

Data Protection Around the World

Personal data protection is, essentially, a fundamental human right outside of the United States, James Daley of Seyfarth Shaw LLP in Chicago, said Oct. 19. A safe harbor framework to govern the transfer of personal data was developed around 2000 and remained the law until 2015. It allowed U.S. companies to transfer EU citizens’ data to the U.S. if the companies satisfactorily demonstrated to the U.S. Department of Commerce their compliance with privacy principles.

In 2015, thousands of U.S. companies were left in a cross-border data transfer void when the European Union’s top court invalidated the U.S.-EU Safe Harbor Program in Schrems v. Data Protection Commisioner, 10/6/15 . 16 DDEE 331, 7/21/16 .

In February 2016, the European Commission filled that void by publishing the EU-U.S. Privacy Shield. The new cross-border data transfer regulation went into effect in August.

Stricter Protections

The new requirements are stricter than those of the Safe Harbor. The Privacy Shield includes more detailed notice requirements. Companies must include a list of disclosures in the privacy shield agreement and the notice must include a list of entities and subsidiaries also covered by the Privacy Shield.

In addition, the companies must make a commitment to the Privacy Shield for all personal information received from the EU, they must identify the independent dispute resolution body that would manage any arbitration related to data transfer, and describe any liability in transferring data to third parties.

The changes implicate everyone in the “supply chain” of a company involved in data transfers, including vendors, data centers and third-parties, and the penalties are high under the new regime.

“The maximum penalties under the General Data Protection Act amount to 10 million Euros per occurrence or four percent of your gross annual turnover, whichever is greater,” Daley said.

Is 72 Hours Enough?

The second main provision of the GDPR that “could keep you up at night” is the 72-hour breach notification requirement.

“Diagnosing how a breach happened and what happened will be hard in that time frame,” Daley said.

“If you have one server, a 72-hour notification period is adequate,” Nikos Leoutsarakos of Zeropasswords Inc. said. “If you have 40,000 servers in four continents, it’s not enough.”

Protection can’t be an afterthought, Leoutsarakos said.

The new regime also mandates that privacy controls be “baked into your systems.”

The new regulations discuss data protection by design and by default. By default implies that protection in your organization is assumed.

“Ignorance of these regulations isn’t an excuse,” Leoutsarakos said. “In addition, simply using or referring to the state-of-the-art isn’t an excuse either.”

“By design” means that data should be protected in all of its states, i.e., “When it’s sitting around on tapes, when it’s in transit and when data is being processed,” Leoutsarakos said.

Legal, Regulatory Demands Grow

As for legal and regulatory demands, Daley advised corporations and entities to take special care to look at their data transfer and processing contracts between data controllers and vendors.

“Once the data gets to the U.S., are you going to send it to an eDiscovery vendor, an expert witness, opposing counsel? You are going to have to show the chain of custody of data protection once it gets to the U.S.,” Daley said.

Leoutsarakos emphasized that the Privacy Shield and the GDPR only refer to personal data.

“But there’s a hidden agenda by the lawmakers,” he said ."If you go through all this trouble to protect the personal data, then you will probably use the same systems for the non-personal data.”

The discussion on the changes to the law and how to comply with the upcoming regulations took place at The Masters Conference in Washington, D.C.

Another Challenge from Schrems?

Judge Andrew Peck, magistrate judge from the Southern District of New York, told Bloomberg BNA via e-mail October 24 that there is a widespread expectation that Schrems, the individual who successfully challenged the U.S.-EU Safe Harbor Program, will lodge a similar challenge to the Privacy Shield. Accordingly, data custodians, controllers and processors should not expect the legal uncertainty that has characterized cross-border transfers since 2015 to be resolved any time soon.

To contact the reporter on this story: Tera Brostoff in Washington at

To contact the editor responsible for this story: Carol Eoannou at

For More Information

The Privacy Shield text is at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Litigation on Bloomberg Law