On July 12, the European Commission formally approved the EU-U.S. Privacy Shield framework governing how personal data from EU citizens is received and transferred. The decision comes over nine months after the European Court of Justice invalidated the previous data-transfer agreement, Safe Harbor.
Privacy Shield was designed to provide stronger data protection standards, and improved complaint handling and enforcement, including greater oversight by the U.S. Department of Commerce and the Federal Trade Commission.
For companies, the Privacy Shield offers a way to comply with EU legal requirements when transferring personal data from the EU to the U.S. Věra Jourová from the EU Commission also points out that one of the main benefits of Privacy Shield for U.S. businesses is that it provides legal clarity on the EU’s privacy and data protection laws.
U.S. companies will have the opportunity to self-certify by submitting an application to the Department of Commerce beginning August 1.
Is privacy shield certification mandatory for U.S. companies?
While Privacy Shield certification is voluntary, any U.S. company or organization that processes the personal data of EU individuals should consider instituting guidelines and processes similar to those described in Privacy Shield since it is still subject to the EU’s privacy and data protection laws.
What are privacy shield requirements?
Compared to Safe Harbor, the EU-U.S. Privacy Shield agreement places more stringent requirements and responsibilities on how U.S. companies collect, manage, and store the data of EU residents.
Companies that have registered to be on the Privacy Shield certification list will need to provide greater transparency to individuals regarding what personal data is being collected, how the data is being used, and whether that data is being handled by a third party. Individuals have the right to access their personal data and to be provided with an easy recourse mechanism for complaints at no cost to the individual. Companies must be able to respond to complaints within 45 days.
Regarding the use and management of the collected personal data, U.S. companies would need to take appropriate measures to protect the data from loss, misuse, and unauthorized access, as well as to ensure data integrity.
Third parties that handle personal data are also governed by the same rigorous conditions of the framework. Those entities are obligated to maintain the same level of protection that is at least equal to the protection level provided by the Privacy Shield company. They must also inform the Privacy Shield company in the event that they are no longer able to provide the appropriate level of protection.
Self-certification occurs annually with verification by the company that it continues to meet the requirements outlined in the agreement.
A company must be compliant with all Privacy Shield requirements before applying for certification. After certification, commitment to the framework is enforceable under U.S. law. Persistent failure to comply could lead to sanctions, removal from the list of registered Privacy Shield companies by the Department of Commerce, and being designated as an organization that is “no longer assured of Privacy Shield benefits”.
The Department of Commerce has released a guide to self-certification to help companies prepare for application.
Other key takeaways
Mergers and acquisitions. A Privacy Shield company involved in a potential M&A transaction will need to undergo a due diligence review involving the auditing of personal data, including information on senior executives and other key personnel. In the event that a Privacy Shield company is dissolved or taken over, the data that was collected while under Privacy Shield is still governed by Privacy Shield.
Certification lapse. Even if a company decides not to re-certify, it must still adhere to the principles of the Privacy Shield framework with regards to personal data that it collected while under Privacy Shield.
Brexit. There is some uncertainty regarding how long Privacy Shield will be active in the U.K. However, the U.K.’s Information Commissioner has indicated that certain rules outlined in Privacy Shield may be adopted by the U.K. if and when the country separates from the EU.
Will privacy shield last?
Privacy advocate Max Schrem, whose campaign against Facebook helped dismantle Safe Harbor, has already come out against Privacy Shield, stating that “It’s better than Safe Harbor, obviously, but far from what the ECJ (European Court of Justice) has asked for.”
However, several companies including Apple, Microsoft, Google and Dropbox, have welcomed the new decision and are preparing to meet the standards outlined in the agreement.
To learn more about how CT can help you better manage your compliance and governance needs, contact a CT representative at 855-316-8948 (toll-free US).