Notice to SterlingBackcheck clients on EU-US Privacy Shield
March 30th, 2016
The following information applies to Sterling US clients (or their subsidiaries) located in the EU. Sterling Canada and Sterling UK clients are not impacted.
The European Commission published details on February 29, 2016 of the new EU-US Privacy Shield. The Privacy Shield replaces the former Safe Harbor framework permitting transfers of personal data from the European Economic Area (“EEA”) to registered US organizations. In October 2015, the Court of Justice of the European Union’s (CJEU) invalidated the Safe Harbor framework following a case brought before the Irish courts by Austrian law student, Max Schrems. That invalidation meant that organizations could no longer rely on Safe Harbor as a mechanism to transfer personal information from the EEA to the US. Organizations had until the end of January 2016 to find alternative mechanisms. Sterling assisted many of its clients to identify the most appropriate mechanisms for their global background screening programs, such as Standard Contractual Clauses.
|June 5, 2013||The UK Guardian Newspaper published a series of articles detailing revelations from former NSA contractor Edward Snowden about mass surveillance activities by the United States|
|July 2, 2013||The EU Parliament passed a resolution in response to the Snowden revelations, calling for the European Commission to conduct a full review of the Safe Harbor framework|
|November 27, 2013||The European Commission announced the results of its review, releasing 13 recommendations to improve the Safe Harbor framework.|
|March 26, 2014||President Obama and then-EU Council President Herman van Rompuy announce agreement to begin Safe Harbor negotiations|
|October 6, 2015||The Court of Justice of the European Union invalidates Safe Harbor|
|February 2, 2016||Department of Commerce and European Commission announce political agreement on new transatlantic data transfer framework to replace Safe Harbor – the EU-US Privacy Shield|
|February 29, 2016||The European Commission published details of the draft adequacy decision and details on the EU-US Privacy Shield|
Although both the European Commission and the Department of Commerce envisage that the Privacy Shield will be implemented within a couple of months, it is more likely to occur at the end of Q3 or beginning of Q4 2016. A number of steps are still pending before the Privacy Shield is implemented, including, among others:
- Approval of the draft Privacy Shield decision by various EU bodies (i.e. Article 29 Working Party)
- Creation and implementation of the new framework in the US, including the monitoring mechanisms and the new Ombudsperson mechanism
- Signature of the EU-US “Umbrella Agreement”, followed by EU Council authorisation with EU Parliament consent.
What are the Privacy Shield Principles?
The Privacy Shield largely reflects exiting principles in Safe Harbor but the principles are now much more comprehensive and detailed.
- Accountability (for onward transfers)
- Data Integrity
- Purpose Limitation
- Recourse, Enforcement and Liability
The Privacy Shield also includes a number of ‘supplemental principles’ which offer more detailed requirements for specific purposes, including, among others, the transfer of sensitive data, secondary liability, human resources data, and publicly available data.
How will the Privacy Shield work in practice?
Similar to Safe Harbor, US companies will register to be on the Privacy Shield list and self-certify on an annual basis that they meet the requirements set out. The US Department of Commerce will monitor and actively verify that any self-certified company is compliant with the Privacy Shield principles.
What is Sterling doing to get ready for the Privacy Shield?
As the global leader in background screening, Sterling is already taking measures to ensure that its background screening practices which fall in scope of the Privacy Shield are compliant with the framework.
Sterling will continue to maintain its Safe Harbor registration and will aim to secure registration under the Privacy Shield as soon as further details of how to do so are released.
What is the impact of the Privacy Shield on my screening program?
The Privacy Shield will not have a major impact of your existing screening program which involves EEA-US data transfers. At present, such transfers are based on other mechanisms, such as EU Commission Standard Contractual Clauses.
Before all remaining measures to implement the Privacy Shield are in place and the Privacy Shield is live, SterlingBackcheck clients should continue to rely on Standard Contractual Clauses for transfers of personal information from the EEA to the US. Sterling will work with clients who wish to rely on the Privacy Shield to transition into the new framework over the course of 2016.
Where can I find more information on the Privacy Shield?
This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.