As of, August 1st, 2016, U.S. companies can now join the Safe Harbor successor EU-U.S. Privacy Shield (the “Privacy Shield”) for personal data transfers from the EU to the U.S.
This post gives a high level summary of what companies should consider with the Privacy Shield.
On July 12, 2016, the European Commission (the “Commission”) formally adopted the adequacy decision necessary to implement the Privacy Shield. This means that transfers of personal data from the EU to the U.S. that are made pursuant to the Privacy Shield’s requirements are lawful under EU law. The Privacy Shield replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.
On December 7, 2015, more than two and a half years after the first draft, the European Union Council finally reached an important, informal agreement with the Parliament on important network and information security rules (“NIS-Directive”) affecting companies across the EU. The culmination of the European Commission’s Cybersecurity strategy effort that began in February 2013 with the European Commission’s proposed draft directive on measures to ensure a common level of network and information security. Final adoption of the NIS-Directive will have several important consequences, including increased focus by Boards of Directors of cybersecurity risk, the need for companies to increase their investment in information security, to prepare and implement cybersecurity incident response plans, to conduct internal comprehensive investigations into the circumstances of a cybersecurity event in order to comply with forthcoming reporting obligations.