Five Top EU-US Privacy Shield Questions, Answered
On Tuesday, the European Commission formally adopted the EU-US Privacy Shield, a new framework for governing personal data transfers between Europe and the United States. The Privacy Shield, which replaces the Safe Harbor transfer deal, implements safeguards on how US organizations can access the data of EU citizens.
Despite the fact that some that some argue adhering to European data protection laws in the US (where EU law does not have jurisdiction) is impossible without substantial reform of US laws, top representatives from each region assert otherwise.
In a joint statement on Tuesday, Commission Vice-President Andrus Ansip and Justice Commissioner Vera Jourova said the privacy shield imposes “clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”
Over the past few days, a lot of clients and colleagues have asked me what this announcement means for data privacy, compliance, and more. I thought it might be helpful to share some insights here.
Below are answers to five top questions around the EU-US Privacy Shield. Have more questions? Ask them in the comments section below.
1. How will the Privacy Shield process work?
US companies will register to be on the Privacy Shield list and self-certify that they meet the high data protection standards set out by the arrangement. They will have to renew their registration every year. The US Department of Commerce will monitor and actively verify that privacy policies are in line with the relevant Privacy Shield principles.
2. In what key ways does Privacy Shield differ from the old Safe Harbor agreement?
The Privacy Shield upholds Safe Harbor’s requirement for participating organizations to take appropriate measures to “protect data from loss, misuse, and unauthorized access.” But there are several ways in which the Privacy Shield differs:
- Companies will be mandated to appoint data protection officers who will provide citizens with the “right to be forgotten.”
- Breaches of personal data must be reported within 72 hours of discovery.
- The GDPR will fine violating companies as much as 20 million Euro or Up to 4% the total annual worldwide gross revenue, whichever is higher.
- The Department of Commerce will significantly expand its role in monitoring compliance, including by carrying out ex-officio compliance reviews and investigations of participating organizations.
- Participating organizations will be subjected to additional compliance and reporting obligations, some of which will continue even after they withdraw from the Privacy Shield.
3. How does the Privacy Shield affect third-party data transfers and agreements?
The Privacy Shield expands regulation of and accountability for third-party personal data transfers. In third-party contracts, certified organizations must specify that transferred personal data may only be processed for “limited and specified purposes” consistent with the data subject’s consent. All third parties must agree to provide the same level of protection as organizations certified under the privacy shield.
4. What are some key protections that participating organizations are required to provide to individuals?
Organizations participating in the Privacy Shield are required to notify individuals, in clear and conspicuous language, of:
- The organization’s participation in the Privacy Shield
- The type of data they are collecting and the purposes for that data
- Any third parties to whom their data will be transferred
- The individual’s right to access their data and their opportunity to correct, amend or delete information that is inaccurate or processed in violation of the Privacy Shield
- Available recourse mechanisms and the FTC’s (or other statutory body’s) enforcement authority
5. Is my business required to sign up to the EU-US Privacy Shield?
Signing up to the Privacy Shield is technically voluntary. But if you don’t sign up, you will not be authorized to process any data from the EU in the US without permission from an end user or by using model clauses or binding corporate rules. Those options cost more time and money. Even if your company didn’t worry about Safe Harbor before, you should pay attention to the Privacy Shield. The definition of “personal data” has changed.
We’ve been following news of the Privacy Shield closely, and will continue to do so. Subscribe to our blog to stay up to date on key updates and suggested actions.
About Dennis Dayman
Dennis Dayman has more than 20 years of experience combating spam, security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations and technical solutions. As Return Path’s chief privacy and security officer, Dayman leverages his experience and key relationships to provide best practices to Return Path, its customers, and ensures the compliance of their communications data flows. He is also responsible for coordinating and managing Return Path’s international electronic commerce, privacy and Internet related policy issues.