Archive

Archive for October, 2015

Safe Harbor Struck Down – What’s the impact to U.S. Background Check Providers?

October 20, 2015 Leave a comment

storm-370x290Terry Corley discusses the implications of complying with the EU Data Protection Directives post Safe Harbor.

The dramatic decision on October 6, 2015 by the Court of Justice of the European Union (CJEU) striking down the Safe Harbor Agreement between the U.S. and European Union following the ruling in the case of Maximilian Schrems v. Irish Data Protection Commissioner (C-362.14) has created a monumental seismic event for many U.S. multinational organizations to say the least.

Privacy experts across many sectors continue to reel from the announcement and are still evaluating its full implications to U.S. businesses that regularly collect, process, and transfer personal data across the Atlantic. For those that handle sensitive personal information such as contained within employment related background checks as well as human resource data the challenges are even greater. Instead of the simplified self-certification program as provided within the Safe Harbor option companies that regularly handle sensitive personal information will now have to individually register and or gain approval from each European data protection authority it plans to transfer data from.

To further complicate the matter Article 29 Working Party (WP29)[1] released, on October 16, a statement following the ruling that coordinated enforcement actions by EU data protection authorities (DPAs) against companies failing to implement appropriate data transfer protocols will start at the end of January 2016, just over three months away.

All data transfers under the now invalidated Safe Harbor framework that take place after the ECJ’s ruling are now considered illegal. Put simply, there is no grace period for transition to another data transfer mechanism. All personal data transfers from the EU to the US, from October 6, 2015 forward, must have a separate legal basis. Other data transfer mechanisms are still in play such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses as alternate data transfer mechanisms, but even these are still subject to European data protection authorities’ investigative and enforcement powers.

Background screeners are highly encouraged to undertake an organizational/business wide privacy impact assessment. Penalties for non-compliance and or violations as an example can range from monetary fines ranging from several thousand dollars to up to 2% of gross revenues not to mention criminal sanctions. Time is not on your side.

Terry Corley helps organizations navigate global employee screening, privacy and data protection, employment, and regulatory compliance and is the Managing Principal of Aletheia Consulting Group.

[1] The Working Party was set up by the European Parliament and Council as an independent advisor on issues concerning the protection of individuals in the processing of their personal data and on the free movement of such data.

Categories: Uncategorized
%d bloggers like this: