EU-US PRIVACY SHIELD – What is it?
Simply put, the EU-US Privacy Shield is a commitment that American organizations make to the U.S. Department of Commerce (DOC) International Trade Administration (ITA) through self-certification to protect the fundamental rights of EU subjects when these organizations transfer personal information of European Union subjects across EU borders. They are committed to handling personal data adequately according to a set of seven Privacy Shield principles or requirements as enshrined in this trans-border framework between the U.S. and the EU.
How Many Organizations Have Self-Certified?
About 4,000+ companies have certified through self-assessment or through an independent third party.
Who are some of these organizations?
Microsoft, Facebook, Google, etc., to name a few big names. But there are others that aren’t so big. Here’s the full list.
Does This Framework Require Reporting Directly To EU Authorities?
No, the Federal Trade Commission (FTC) is the authority responsible for enforcing compliance with the Privacy Shield principles. The Department of Commerce is responsible for administering Privacy Shield application, certification, renewal processes, and guidelines. DOC also maintains a list of certified businesses. You must first become a member of ITA before applying for Privacy Shield certification. It’s best to first reach out to DOC for assistance before you fill-out the application form to begin the process. Once in, you’re in it for good and will be regulated, however, your organization may withdraw but it involves a process. Privacy Shield replaced a 15 year-old, Safe Harbor, trans-border personal data transfer mechanism that was invalided by the EU Court of Justice in 2015 as inadequate in protecting EU subjects’ privacy rights in the U.S.
So, What Are The EU-US Privacy Shield Principles?
The Privacy Shield principles are very similar to GDPR principles. They include Notice, Choice, Accountability for Onward Transfers, Security, Access, Data Integrity & Purpose Limitation, and Recourse, Enforcement, & Liability.
Principle 1: Notice
Principle 2: Choice
Similar to GDPR, getting consent is important. Even more important is making sure individuals can make clear decisions about their preferences on disclosure and use of their personal information.
Principle 3: Accountability for Onward Transfers
If your business works with partners or third parties to process personal data transferred from the EU, you’re responsible for ensuring adequate data protection in third party contractual agreement align your notice to data subjects and business obligations to EU data subjects and the Privacy Shield. Otherwise, your business bears the liability in the event of a breach.
Principle 4: Security
Assess your risks for processing personal data and determine what security measure will be appropriate to reduce the risks. Implement the safeguards to protect personal data against unauthorized disclosure, use, access, modification.
Principle 5: Data Integrity & Purpose Limitation
Maintaining data quality is crucial. Data integrity means data is accurate and relevant for its purpose or use and not corrupted with errors or is incomplete.
Principle 6: Access
EU data subjects have privacy rights and should exercise them. Your business is responsible for providing a mechanism to data subjects to exercise their rights. Among these rights are, the right to access, rectify, restrict processing, and delete personal data held about them.
Principle 7: Recourse, Enforcement, & Liability
Have a process for resolving data subjects’ complaints. From your notice or website, give data subjects access to a link, email, or portal where disputes can be properly handled, resolved, and documented.
Does EU-US Privacy Shield Apply to My Business?
It depends if your business relies on transatlantic or trans-border data transfers. But, before you apply for EU-US Privacy Shield certification ensure that your business is already implementing the seven principles and is compliant.
Consider the quality of your corporate structure, privacy program, contracts, third party or vendor management, and alternative current data transfer mechanisms. Assess your business needs, size, and markets, and how data flows or is distributed for processing. Your business may work toward readiness to apply for certification. Until then it’s not advisable to start the process if your business may end up struggling to comply.
Certification is voluntary. EU-US Privacy Shield aligns with GDPR requirements so if GDPR applies to your business you’re responsible for compliance with both GDPR and the Privacy Shield (after self-certifying with Privacy Shield). Like most American organizations you may be relying on other justifications (Binding Corporate Rules, Ad Hoc Clauses, Model Clauses, Consent, Codes of Conduct, etc.,) for trans-border transfers or for processing personal data from the EU. Consider EU-US Privacy certification as ‘extra-credit” in the eyes of enforcement authorities. There are many other benefits.
For more information on the EU-US Privacy Shield, visit www.privacyshield.gov.
Photo credits: Thomas Habr, Silas Baish, Amogh Manjuna, and Sweet Ice Cream Photography.
- April 2019 (1)
- March 2019 (1)
- February 2019 (1)
- January 2019 (2)
- December 2018 (1)
- November 2018 (1)
- October 2018 (1)
- September 2018 (1)
- August 2018 (1)
- July 2018 (1)
- June 2018 (1)
- May 2018 (1)
- April 2018 (1)
- March 2018 (1)
- February 2018 (1)
- January 2018 (1)
- June 2017 (1)
- May 2017 (1)
- March 2017 (1)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (1)
- October 2016 (1)
- September 2016 (1)
- August 2016 (1)
- July 2016 (1)
- June 2016 (1)
- May 2016 (1)
- April 2016 (1)
- March 2016 (1)
- February 2016 (1)
- January 2016 (1)
- December 2015 (1)
- November 2015 (1)