EEA Adopts the EU-U.S. Privacy Shield Framework
On July 7, the European Economic Area (EEA) – which consists of Iceland, Liechtenstein, and Norway – adopted the EU-U.S. Privacy Shield Framework (Privacy Shield). As a result, the Privacy Shield will now be able to serve as a legal basis for adequacy in cross-border transfers of personal data out of EEA countries to certified U.S. companies. This could be particularly interesting for the U.K., given the possibility that there has been discussion about joining the EEA post-Brexit.
Iceland, Liechtenstein, and Norway
The EEA’s adoption of Privacy Shield will likely come as a relief to companies in Iceland, Liechtenstein, and Norway that had previously used the now defunct Safe Harbor for cross-border transfers, and have struggled while waiting patiently for Privacy Shield to be an available option.
The decision went into force on July 8, and does not require any additional action by the U.S. Department of Commerce or the European Commission.
First Annual Review
The EU-U.S. Privacy Shield was adopted on July 12, 2016. It will undergo its first annual joint review in September 2017, where the European Commission and U.S. Department of Commerce will assess the Privacy Shield’s first year and will address various questions and concerns that have been raised.
Whether the EEA’s recent adoption of the Framework will have any bearing in that annual review will remain to be seen, but it is likely that the countries of Iceland, Liechtenstein, and Norway will want their voices to be heard.
How OneTrust Helps
OneTrust enables privacy professionals to prepare for compliance with upcoming privacy regulations and certifications through proactive self-assessments. Free templates are available for the EU General Data Protection Regulation, Privacy Shield, BCR (controllers and processors), and APEC CBPR, as part of the OneTrust privacy management platform. Privacy professionals can use OneTrust to benchmark their organizational readiness, prioritize requirements for compliance and provide executive-level visibility.