A Side-By-Side Comparison of “Privacy Shield” and the Controller-Processor Model Clauses

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission preapproved model contractual clauses with the data recipient, (2) sends data to a corporate affliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data processors (e.g., service providers) that were based in the US complied with the Directive by entering the pre-approved controller-processor model clause or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-processor model clauses; the use of those clauses became far and away the most popular way to comply with the Directive.

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-byside comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons started with a Privacy Shield/Safe Harbor comparison published here.

Click here to view the side-by-side comparison of the Privacy Shield and the Controller-Processor Model Clauses.

comparison2

A Side-by-Side Comparison of “Privacy Shield” and the “Safe Harbor”

More than 5,000 companies had taken advantage of the now defunct U.S.-EU Safe Harbor Framework. Those companies are now considering whether to join the newly approved “Privacy Shield,” and are trying to understand the difference between the old and new framework. As they do, these companies are faced with many questions: How does the Privacy Shield differ from Safe Harbor? Can you rely on the Model Clauses? Or would it make more sense to join the Privacy Shield? If so, what do you need to do to join?

To supplement our earlier publication, we have prepared a side-by-side comparison of the invalidated Safe Harbor and the new Privacy Shield. Over the next week, we will be publishing similar comparisons between Privacy Shield and other adequacy methods including the model controller-controller clauses and the model controller-processor clauses. If you would like to receive those comparisons, please register at www.bryancavedatamatters.com.

Click here to view the side-by-side comparison of the Safe Harbor and the Privacy Shield.

sidebyside

Privacy Shield Finalized – How Everyone Can Take Advantage of the New European Data Transfer Framework

Background

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU Member State.  The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed.  Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection.  As a result, if a company intended to transfer personal data from the EU to the U.S., it traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

priovacyshielf

Webinar: Life After the Safe Harbor Under the “Privacy Shield”

March 3, 2016 at 12 p.m. EST

Companies of all types were caught off guard when the EU-U.S. Safe Harbor data transfer framework was invalidated in October 2015. In the months following the invalidation, many companies anxiously awaited a replacement for the original Safe Harbor framework. That replacement has now been announced in the form of the newly-negotiated “Privacy Shield” framework. Join Jana Fuchs and Jason Haislmaier as they discuss the details of the Privacy Shield framework, provide an update on the current status and timeline for the formal adoption of the Privacy Shield, and provide strategies for compliance in EU-U.S. cross border data transfers both now and following adoption of the Privacy Shield. Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Advisory Board Calls for EU-US Safe Harbour Grace Period

The Article 29 Working Party — an independent data protection advisory board for the EU composed of representatives from the Member State’s — urgently called on the Member States to open discussions with US authorities in order to find legal and technical solutions that would replace the now-defunct EU-US Safe Harbour framework… Safe Harbor October 21 2015

The (ex) EU-US Safe Harbor At A Glance (2015)

On Tuesday, October 6, 2015, the European Court of Justice decided that the EU/US Safe Harbor regime for data transfers is no longer… safe.  Until now, companies exchanging data between the EU and the US could rely on the Safe Harbor regime, but with the decision that is no longer an option.  In addition companies currently relying on Safe Harbor are scrambling to find alternative compliance strategies . . . ExSafeHarbor

US/EU Data Transfers: Informational Article (2015)

Dancing the legal limbo around US_EU data transfers-1_1Difficulties often manifest themselves in transferring data from the ‘safe’ EU to the ‘unsafe’ US.  Difficulties also exist with US law enforcement authority requests for access to such data, which is often not permitted under EU law.  The following article, originally published in the Data Protection Law & Policy Journal, discusses these issues . . .

EU Binding Corporate Rules At A Glance (2015)

BindingCorporateRules

The EU Directive creates the legal framework for the national data protection laws in each EU member state.   The EU Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed.  The laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company intends to transfer personal information into the United States they must take one of the following steps to achieve the “adequacy” status required by the Directive.  Binding Corporate Rules . . .

 

German Data Protection Law At A Glance (2015)

Compliance_German_Data_Privacy_1

The main criteria in determining whether German law applies is whether a data controlling company is legally established in Germany or a data controlling company is established outisde the EU but uses equipment that is located in Germany for data processing.  This information sheet provides an overview of the requirements of Germany’s data protection law . . .

The EU Model Contracts At A Glance (2015)

Model Contracts_At A Glance  The EU Data Protection Directive creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. The EU Model Contracts . . .

Usage of US/EU Safe Harbor At A Glance (2015)

SafeHarbor2JPG

Companies completing the Safe Harbor process must make several decisions. For example, they must decide whether to have an independent third party verify their compliance with the Safe Harbor framework, whether to retain an arbitration group to adjudicate complaints about their privacy practices, and what data they wish to include within their certi.cation.  The following provides background and benchmarking concerning the types of companies that utilize . . .

 

The US/EU Safe Harbor At A Glance (2015)

Safe Harbor_At A Glance_1

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Few exemptions apply, in particular when explicit consent was given or in direct business cases. The laws of the United States are not considered by the European Union as providing an adequate level of data protection. . .