On July 12, the European Commission formally adopted the EU-US Privacy Shield, a bilateral data privacy agreement hastily assembled from the wreckage of the Safe Harbor Framework, which was invalidated by the European Court of Justice in 2015. U.S. companies immediately lined up to apply the new framework, with tech giants like Google, Salesforce and Microsoft broadcasting their willingness to abide by the deal’s strictures. As of August 26th, over two hundred companies had adopted Privacy Shield, and the list is growing.
Why do we need Privacy Shield?
The European Union prohibits transfers of personal data from Europe to countries without “adequate” data privacy protection, as defined by the EU itself. Given the longstanding legal differences in approaches to privacy between the EU and the U.S., companies dealing in cross-border data flows need a mechanism to self-certify their compliance with EU law. After the demise of the Safe Harbor Framework, the legal situation surrounding data transfers to the U.S. was thrown into limbo. Privacy Shield aims to fix that.
What Is Privacy Shield?
Privacy Shield is a bilateral data protection agreement between the EU and the U.S., allowing American companies to self-certify their compliance with EU data protection regulations and transfer personal data out of the EU. Privacy Shield is built on seven foundational principles, set forth below:
- Notice: Companies must inform consumers of certain data-related rights and practices under Privacy Shield, including the purposes of third-party disclosures, consumer data access rights and company liability for onward transfers.
- Choice: Privacy Shield prohibits businesses from using data in ways not authorized by their customers. Companies must allow clear routes for consumers to opt out of activities related to their personal data, such as disclosure to a third party.
- Accountability For Onward Transfer: Companies are only allowed to transfer data to third-party agents “for limited and specified purposes,” and they must comply with the Notice and Choice Principles in order to do so. The third-party agent must provide “at least the same level of privacy protection as is required by the Principles.”
- Security: Companies must take “reasonable and appropriate measures” to safeguard the privacy of personal data.
- Data Integrity And Purpose Limitation: Personal data must be “limited to the information that is relevant for purposes of processing,” in accordance with the original use authorized by the consumer.
- Access: Organizations. must give consumers access to their personal information, and allow them to make amendments and monitor its usage for possible violations.
- Recourse, Enforcement and Liability: Companies must offer independent dispute resolution mechanisms free of charge to consumers alleging Privacy Shield violations. Companies that violate Privacy Shield strictures are subject to enforcement actions by the FTC or the Department of Transportation, and are also liable for third-party agent and service provider violations unless they can prove no responsibility. Companies must verify their compliance with Privacy Shield through internal self-assessments or independent third-party audits.
How Do I Sign Up?
The Commerce Department has published a detailed how-to guide on the Privacy Shield self-certification processes. Here are the recommended steps:
- Ensure Eligibility: U.S. companies must be subject to the jurisdiction of either the Federal Trade Commission or the Department of Transportation. Make sure your organization falls within their parameters.
- Adjust Privacy Practices: If your organization seeks to self-certify under Privacy Shield you must first ensure that your privacy practices comply with the criteria described above. This is not always a straightforward process and you may find it helpful to work with a consultant for this critical step.
- Develop A Compliant Privacy Policy: You need to write a privacy policy that complies with all the Principles of Privacy Shield. The Policy should reflect your commitments to the Principles and explain how you meet the requirements of Privacy Shield.
- Identify Your Independent Recourse Mechanism: Under Privacy Shield, you need to maintain an independent system to investigate customer complaints at no cost to the complainant. The Commerce Department recommends using private dispute resolution programs offered by organizations like the American Arbitration Association and the Council of Better Business Bureaus.
- Adopt A Verification Strategy: Ensure you have an adequate verification program in place to monitor your compliance with Privacy Shield. You can conduct a self-assessment, but third-party audits pose less potential for creating conflicts of interest.
- Designate A Privacy Shield Contact: Appoint an employee to handle all Privacy Shield-related queries, complaints and issues.
DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.