Does Your U.S. Company Keep Your EU Employees’ Data in the U.S.? The New EU-U.S. Privacy Shield Has Stricter Compliance Requirements for You!

Does Your U.S. Company Keep Your EU Employees’ Data in the U.S.? The New EU-U.S. Privacy Shield Has Stricter Compliance Requirements for You!


EU privacy-shield-logo                                                                                                                                                       Photo: European Union

In addition to complying with the new Privacy Shield requirements regarding EU data privacy/security standards: Notice; Choice; Accountability for Onward Transfers; Security; Data Integrity and Purpose Limitation; Access; Recourse, Enforcement and Liability, the new EU U.S. Privacy Shield self-certification program includes stricter standards for U.S. employers of EU employees.  Here are some of the highlights.

Among other things, for data regarding their EU employees U.S. employers must:

  • Inform the U.S. Department of Commerce (DOC) that it will apply its EU-U.S. Privacy Shield self-certification to Human Resources (HR) Data and provide a copy of its Privacy Shield-compliant HR Privacy Policy to the DOC and information about where EU employees can view it.
  • Commit to comply with applicable EU/EEA data privacy laws where its EU employee(s) are located even when the employer’s equipment is in the U.S or other non-EU locations.
  • Commit to cooperate and comply with the advice of the local EU/EEA DPA(s) including regarding resolution of EU employee complaints.
  • Comply with EU and member state Notice and Choice standards before disclosing EU employee data to third parties outside the EU including after transfer outside the EU.
  • Refrain from using the data privacy choices made by EU employees to restrict employment opportunities or take any punitive action against the EU employee.
  • Have employee training, discipline, and audit procedures in place for implementation of EU-U.S. Privacy Shield self-certification.
  • U. S. Employers “should also make reasonable efforts to accommodate” EU employee HR Data preferences including restricting access; anonymizing certain data; or assigning codes or pseudonyms when possible.

The new EU-U.S. Privacy Shield self-certification program also includes some limited compliance exceptions for U.S. companies with EU employee HR Data.  Contact your Culhane Meadows attorney for more information.

Author Linda Priebe, CIPP/EU is a partner in Culhane Meadows’ Data Privacy, Employment, and Compliance Practice Groups in Washington DC. She is certified in EU Data Privacy law (CIPP/EU) and provides advice and counsel to employers, international companies, social media advertisers and marketers, online retailers, regulated industries, federal contractors, and law firms regarding compliance with U.S. – EU data privacy/security laws, use of social media in business and the workplace, and Federal Relations. Prior to Culhane Meadows she was Deputy General Counsel and Ethics Official at the White House Office of Drug Policy (ONDCP) from 1999-2013.

This Blog/Web Site is made available by Culhane Meadows PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.