Privacy Shield finally is law. After nine months of uncertainty following the EU decision to invalidate the Safe Harbor agreement, organizations are to start self-certifying Aug. 1 with the U.S. Commerce Department to transmit personal data to the U.S. from Europe.
For employers, here are questions and answers about the new data-transfer mechanism:
From a payroll perspective, is Privacy Shield different from Safe Harbor?
U.S. intelligence agencies may find that the new mechanism has more restrictions than its predecessor, but its basic framework is similar to Safe Harbor in terms of payroll. Privacy Shield broadly differs by requiring more in-depth information to be submitted to receive certification, providing more opportunities for redress by EU citizens and requiring more robust data-protection requirements. In terms of payroll, the major changes include more liability and restrictions for parent organizations that share data with third-party vendors, additional reporting and recordkeeping requirements and additional government oversight.
What are the steps employers take to sign up?
Just like with Safe Harbor, employers would need to self-certify on the Commerce Department website and renew their registration every year. A major difference between Safe Harbor and Privacy Shield is that the data-protection standards and principles that employers must self-certify are stronger under Privacy Shield.
Similar to Safe Harbor, the self-certification process for Privacy Shield in terms of human-resources information includes these requirements:
•Signing onward-transfer agreements between third parties and parent organizations. The third parties must adhere to the same level of data-privacy protection as the parent group.
•Implementing access controls and restrictions for access to payroll data.
What happens after self-certification?
Adhering to Privacy Shield does not merely mean self-certifying on a yearly basis. Privacy Shield also would expand methods for individuals to obtain redress if their data is misused: companies have 45 days to respond to any data privacy complaints made by an individual. Additionally, organizations that handle individual payroll data are required to comply with investigations by EU data-protection authorities, who can petition the Commerce Department if a complaint is escalated.
Is Privacy Shield worth the hassle?
The EU may have officially sanctioned Privacy Shield but that does not mean it is permanent because there still are major obstacles to Privacy Shield and its ability to be a viable and long-lasting alternative.
First, data privacy advocates already pledged to bring the new mechanism to court, which was the approach that ultimately led to Safe Harbor’s demise. Secondly, the European Union will be adopting stricter data privacy standards in 2018 known as the General Data Protection Regulation. Privacy Shield may prove to not be strong enough for the new standards and therefore require s replacement.
Ultimately, it may be most prudent for employers to simultaneously certify under Privacy Shield while also ensuring that alternatives such as model contracts and binding corporate rules are available if Privacy Shield is invalidated.
Where can I learn more?
More information on the payroll implications of Privacy Shield is available in an International Payroll Decision Support Network perspective on the topic, “Privacy Shield: What U.S. Multinational Employers Need to Know.” Coverage of quickly changing laws on cross-border data-privacy issues is available in the News and Commentary section of the International Payroll Decision Support Network.
Take a free trial to Bloomberg BNA’s International Payroll Decision Support Network . With more than 90 countries covered, this is your one-stop resource for reliable, up-to-date guidance and analysis in every area of global payroll administration and compliance.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)