Jezper - Fotolia

How will the new EU-U.S. data transfer policy change governance?

The new transatlantic data transfer policy framework may require companies to rethink governance processes to follow its security and privacy protocols.

The EU-U.S. Privacy Shield went into effect this summer, and eligible U.S. companies can now self-certify under the transatlantic data transfer framework designed to improve data privacy obligations for U.S. businesses transferring EU residents' personal information during transatlantic commerce.

In part two of this two-part Q&A, Melinda McLellan, privacy and data protection lawyer at BakerHostetler law firm, discusses some of the new principles that the data transfer policy framework introduces and what they mean for companies' information governance processes.

The new transatlantic data transfer policy states that companies may retain European data subject's personal data only for as long as the data serves the purpose for which it was collected. How will these changes affect companies' data governance processes in relation to information security?

Melinda McLellan: It is a basic tenet of EU data protection law that an organization is only supposed to retain data for as long as it is needed to serve the purpose for which it was collected. If there is a new purpose for which the organization wishes to use the data, they need to notify the data subject about the different purpose, and get appropriate consent. Now that there’s an explicit requirement in this regard, companies will need to confirm that their Data retention and destruction policies are properly implemented, to ensure that they are not keeping personal data longer than needed.

The disposal of employee data offers a good practical example. Organizations need to have an effective process in place to confirm that they are getting rid of former employees’ personal data that they no longer need. Organizations should have policies concerning the timeframe for secure destruction of unnecessary personal data, and conduct audits to verify that the policies are actually being implemented. 

Melinda McLellanMelinda McLellan

Organizations self-certifying under the new EU-U.S. data transfer policy are required to have procedures in place for verifying compliance. How will this influence organization's data governance processes as they try to remain compliant with the framework?

McLellan: In terms of data governance, one of the changes under the Privacy Shield versus the Safe Harbor framework is that if an organization joins the Privacy Shield, and then decides to leave, the organization still must adhere to the Privacy Shield Principles with respect to the data that they collected while they were Privacy Shield-certified. This requirement was not explicit under the Safe Harbor framework.

Organizations need to have an effective process in place to confirm that they are getting rid of former employees’ personal data that they no longer need.

For example, imagine an organization that self-certifies today, then leaves the Privacy Shield in December 2017.  If they want to retain the personal data that they collected while they were certified, all of that data still needs to be protected as it was while the company was certified.

Perhaps more importantly, if an organization gets kicked out for failing to comply, if it is found to be persistently violating the Privacy Shield Principles, then it has to destroy all the EU personal data it obtained through the Shield. That could create a major compliance burden for affected companies. 

Of the new principles that Privacy Shield introduces, what is the one that seems most interesting to you?

McLellan: Apart from what I already stated [above], another big change concerns the way in which individuals will be able to bring complaints. In the past, at least in theory under the safe harbor an EU data subject could go to a national data protection authority to ask them to look into something. But the Privacy Shield introduces a much more structured approach, with various mechanisms individuals can use to lodge complaints against a company that transfers their personal data from the EU to the U.S.  If the company doesn’t resolve the problem, and other channels prove ineffective, then there is an arbitral panel proceeding that data subjects can turn to.

The overarching idea here is that companies and authorities will be expected to take data subjects’ complaints seriously, and respond to them promptly. It will be interesting to see how this plays out in practice.

Read part one of the Q&A to find out the factors and operational reforms that companies eligible to self-certify under the new EU-U.S. data transfer policy framework should consider before joining.

Next Steps

Privacy Shield replaces Safe Harbor

Find out what the latest report by security firm Check Point has to say

Is Privacy Shield a better alternative for Safe Harbor?

Dig Deeper on Managing governance and compliance