Does Your U.S. Company Keep Your EU Employees’ Data in the U.S.? The New EU-U.S. Privacy Shield Has Stricter Compliance Requirements for You!

 

EU privacy-shield-logo                                                                                                                                                       Photo: European Union

In addition to complying with the new Privacy Shield requirements regarding EU data privacy/security standards: Notice; Choice; Accountability for Onward Transfers; Security; Data Integrity and Purpose Limitation; Access; Recourse, Enforcement and Liability, the new EU U.S. Privacy Shield self-certification program includes stricter standards for U.S. employers of EU employees.  Here are some of the highlights.

Among other things, for data regarding their EU employees U.S. employers must:

  • Inform the U.S. Department of Commerce (DOC) that it will apply its EU-U.S. Privacy Shield self-certification to Human Resources (HR) Data and provide a copy of its Privacy Shield-compliant HR Privacy Policy to the DOC and information about where EU employees can view it.
  • Commit to comply with applicable EU/EEA data privacy laws where its EU employee(s) are located even when the employer’s equipment is in the U.S or other non-EU locations.
  • Commit to cooperate and comply with the advice of the local EU/EEA DPA(s) including regarding resolution of EU employee complaints.
  • Comply with EU and member state Notice and Choice standards before disclosing EU employee data to third parties outside the EU including after transfer outside the EU.
  • Refrain from using the data privacy choices made by EU employees to restrict employment opportunities or take any punitive action against the EU employee.
  • Have employee training, discipline, and audit procedures in place for implementation of EU-U.S. Privacy Shield self-certification.
  • U. S. Employers “should also make reasonable efforts to accommodate” EU employee HR Data preferences including restricting access; anonymizing certain data; or assigning codes or pseudonyms when possible.

The new EU-U.S. Privacy Shield self-certification program also includes some limited compliance exceptions for U.S. companies with EU employee HR Data.  Contact your Culhane Meadows attorney for more information.

Author Linda Priebe, CIPP/EU is a partner in Culhane Meadows’ Data Privacy, Employment, and Compliance Practice Groups in Washington DC. She is certified in EU Data Privacy law (CIPP/EU) and provides advice and counsel to employers, international companies, social media advertisers and marketers, online retailers, regulated industries, federal contractors, and law firms regarding compliance with U.S. – EU data privacy/security laws, use of social media in business and the workplace, and Federal Relations. Prior to Culhane Meadows she was Deputy General Counsel and Ethics Official at the White House Office of Drug Policy (ONDCP) from 1999-2013.

This Blog/Web Site is made available by Culhane Meadows PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

*Culhane Meadows is ranked by U.S. News/Best Law Firms in Technology Law, Bankruptcy/Reorganization Law, and Information Technology Law. This website and the communications herein may be considered attorney advertising. Previous results are not a guarantee of future outcome. This website is for informational purposes only and does not constitute legal advice. The information herein is not intended to create an attorney-client or similar relationship. Until you establish such a relationship and receive an engagement letter, you have not hired a Culhane Meadows attorney nor become a client of the firm. Whether you are a new or existing client of the firm, Culhane Meadows must determine that there is no conflict of interest and that it is willing and otherwise able to accept the new engagement before representing you on a new matter. Only if and after Culhane Meadows has informed you it is willing and able to accept your new matter should you send the firm any information or documents that you consider private or confidential. Such information will not be treated as private, confidential or otherwise protected from disclosure until Culhane Meadows has communicated in writing that it is willing and able to accept your new matter and provide you with legal counsel. Whether you need legal services and which lawyer or law firm you select are important decisions that should not be based on this website alone.