The US-EU Privacy Shield Framework was agreed upon in mid-July, replacing the defunct Safe Harbor agreement which was previously annulled. The changes are important to note, especially for those entities dealing with multinational issues.
The European Union (EU) was the driving force behind this new framework, with the goal of having the privacy of EU citizens better protected and to provide an avenue by which an EU citizen could file a complaint and expect adjudication with respect to how their personal data is being used, protected or shared. In a nutshell, the framework imposes stronger obligations on US companies.
What does it look like?
The US-EU Privacy Shield is a self-certifying mechanism by which the privacy of data, including EU citizen data is paramount and at the forefront. The US commercial sector will be expected to put in place mechanisms (and staff) to ensure that the company is able to meet the agreement’s rules.
The US government will be the entity which will be answering complaints from EU entities and citizens. Complaints made will be responded to within 45 days.
What steps every company should take
- Self-certify, annually they meet the Privacy Shield requirements
- Display the privacy policy on their website
- Reply promptly to complaints
- For Human Resource data: Cooperate with the European Data Protection Authorities
What the US government promised the EU
- Access to personal data will fall within clear limitations/safeguards
- No indiscriminate or mass surveillance
- Companies may report number of access requests
- Redress possible through the US-EU Privacy Shield ombudsperson mechanism.
The principals in the US-EU Privacy Shield Framework
A participating entity should be prepared to disclose to individuals how the information is being collected, used, shared and processed. Be prepared to be fully participatory in the dispute resolution process (and the expenses of arbitration), to include working with the Federal Trade Commission, Department of Commerce and other US governmental entities.
Additionally, users must be provided with the opportunity to choose how their information will be used. Furthermore, third-party sharing must be clearly and unambiguously indicated, and fall within the guidelines.
The entity must secure the data. They “must take reasonable and appropriate measures to protect it.”
If you are collecting personal identifying information, this information must be available to the individual and ensure the person is “able to correct, amend or delete the information.”
Mixed reviews from the EU
While some may view the US-EU Privacy Shield Framework to be robust and intensive, it was received with mixed reviews in the EU. Digital Europe applauded those EU member states who worked on and approved the agreement for their diligent work and commitment to “ensuring a high level of data protection when executing transatlantic data transfers.” Whereas, Privacy International, panned the agreement as more of the same. Specifically noting, “remains an opaque document that will be a field day for law firms.” They were joined by the European Digital Rights organization which characterized the agreement as “Privacy Shield: Privacy Sham,” calling the agreement illegal.
For additional, primary source reading:
US-EU Privacy Shield Framework Factsheet