Privacy Shield finally is law. After nine months of uncertainty following the EU decision to invalidate the Safe Harbor agreement, organizations are to start self-certifying Aug. 1 with the U.S. Commerce Department to transmit personal data to the U.S. from Europe.
For employers, here are questions and answers about the new data-transfer mechanism:
From a payroll perspective, is Privacy Shield different from Safe Harbor?
U.S. intelligence agencies may find that the new mechanism has more restrictions than its predecessor, but its basic framework is similar to Safe Harbor in terms of payroll. Privacy Shield broadly differs by requiring more in-depth information to be submitted to receive certification, providing more opportunities for redress by EU citizens and requiring more robust data-protection requirements. In terms of payroll, the major changes include more liability and restrictions for parent organizations that share data with third-party vendors, additional reporting and recordkeeping requirements and additional government oversight.
What are the steps employers take to sign up?
Just like with Safe Harbor, employers would need to self-certify on the Commerce Department website and renew their registration every year. A major difference between Safe Harbor and Privacy Shield is that the data-protection standards and principles that employers must self-certify are stronger under Privacy Shield.
Similar to Safe Harbor, the self-certification process for Privacy Shield in terms of human-resources information includes these requirements:
•Signing onward-transfer agreements between third parties and parent organizations. The third parties must adhere to the same level of data-privacy protection as the parent group.
•Implementing access controls and restrictions for access to payroll data.
What happens after self-certification?
Adhering to Privacy Shield does not merely mean self-certifying on a yearly basis. Privacy Shield also would expand methods for individuals to obtain redress if their data is misused: companies have 45 days to respond to any data privacy complaints made by an individual. Additionally, organizations that handle individual payroll data are required to comply with investigations by EU data-protection authorities, who can petition the Commerce Department if a complaint is escalated.
Is Privacy Shield worth the hassle?
The EU may have officially sanctioned Privacy Shield but that does not mean it is permanent because there still are major obstacles to Privacy Shield and its ability to be a viable and long-lasting alternative.
First, data privacy advocates already pledged to bring the new mechanism to court, which was the approach that ultimately led to Safe Harbor’s demise. Secondly, the European Union will be adopting stricter data privacy standards in 2018 known as the General Data Protection Regulation. Privacy Shield may prove to not be strong enough for the new standards and therefore require s replacement.
Ultimately, it may be most prudent for employers to simultaneously certify under Privacy Shield while also ensuring that alternatives such as model contracts and binding corporate rules are available if Privacy Shield is invalidated.
Where can I learn more?
More information on the payroll implications of Privacy Shield is available in an International Payroll Decision Support Network perspective on the topic, “Privacy Shield: What U.S. Multinational Employers Need to Know.” Coverage of quickly changing laws on cross-border data-privacy issues is available in the News and Commentary section of the International Payroll Decision Support Network.
Take a free trial to Bloomberg BNA’s International Payroll Decision Support Network . With more than 90 countries covered, this is your one-stop resource for reliable, up-to-date guidance and analysis in every area of global payroll administration and compliance.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)