What the EU-U.S. Privacy Shield Means for HR Data

By Aliah D. Wright Jul 18, 2016

​On June 12, the European Commission adopted the EU-U.S. Privacy Shield, ending a type of limbo for U.S. companies that had ​been relying on alternatives for the transfer of personal data ever since the Safe Harbor agreement between the U.S. and the European Commission was nullified last October.

​​The Privacy Shield "protects the fundamental rights of anyone in the European Union [EU] whose personal data is transferred to the United States" and brings legal clarity for businesses relying on transatlantic data transfers, according to a news release from the European Commission.

The shield replaces the Safe Harbor agreement, which was nullified by the Court of Justice of the European Union in Schrems v. Data Protection Commissioner.

Self-certification of compliance with the shield by U.S. organizations begins Aug. 1, 2016.

As SHRM Online reported on Schrems earlier this year, "Maximillian Schrems, an Austrian national, filed a complaint with the Irish Data Protection Commissioner (Irish DPC) asking it to prohibit Facebook Ireland Ltd. from transferring his personal data to Facebook Inc. in the United States."

Based in part on revelations made by whistle-blower Edward Snowden concerning surveillance activities by U.S. intelligence, Schrems believed U.S. laws didn't guarantee "adequate protection" of his personal data. However, the Irish DPC rebuffed Schrems' complaint, saying there was no evidence that his personal data had been accessed. The Irish DPC also found that the Safe Harbor agreement provided adequate protection for any personal data transferred to the U.S.

Schrems challenged the ruling before the European Court of Justice, which found in his favor.

"The European high court struck down the Safe Harbor agreement, in part, because the U.S. government retains the right to access data in the U.S. for national security and law enforcement purposes and does not permit EU citizens to make complaints regarding the misuse of their personal data. The decision authorizes each [member country's] Data Protection Commissioner to consider individual claims asserting that the transfer of personal data from the EU to other countries violates EU privacy laws," SHRM Online reported.

According to U.S. Secretary of Commerce Penny Pritzker, U.S. companies will be given until Aug. 1 to review the Privacy Shield to enable a "smooth transition."

In an interview with SHRM Online July 15, privacy attorney Philip Gordon, a shareholder in Littler Mendelson's Denver office and co-chair of the firm's privacy and background checks practice group, said that "more than 4,000 U.S. companies relied on Safe Harbor for cross-border data transfers." But after nullification of the law, "U.S. companies had to make a decision whether to use a different data mechanism or fly under the radar." He said the alternatives companies used to transfer HR data included standard contractual clauses and binding corporate rules.

Companies will now need to decide "whether they will continue to rely on the measures they put in place in response to the invalidation of Safe Harbor or switch to the Privacy Shield," Gordon noted.

An analysis of the shield provided to SHRM Online from Morrison & Foerster, an international law firm with 17 offices in the United States, Asia and Europe, states that "at first glance, the shield bears a strong resemblance to Safe Harbor, which misled some commentators to denounce it as a mere duplicate in disguise. However, the shield introduces substantial changes for data protection, including additional rights for EU individuals, stricter compliance requirements for U.S. organizations, and further limitations on government access to personal data."​


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect