EU-US Privacy Shield~by Paul Harris, Global-Z Marketing Manager

Are you ready for the new Privacy Shield regulations? The new EU-US agreement is bringing some major changes for American businesses that process European customer data. While many more questions are yet to be answered about Privacy Shield’s impact, we collected the top most frequently asked questions to help you better understand the regulations.

 

 

  • What is Privacy Shield?
    • On July, 12th 2016 the European Commission (EC) adopted the new EU-U.S. Privacy Shield (formerly known as EU-US Safe Harbor). The new Privacy Shield framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States, as well as bringing legal clarity for businesses relying on transatlantic data transfers.
    • Privacy Shield is a voluntary self-certification to the US Department of Commerce. Once a company publicly commits to Privacy Shield, it is enforceable under US law. It includes multiple avenues of redress to resolve complaints. The agreement is a ‘living commitment’ with annual reviews. Companies who certify with Privacy Shield must select an independent dispute resolution organization that include the following criteria.
      • Panel created by the EU Data Protection Authorities (DPA’s).
      • Accredited organization in EU.
      • Accredited organization in US.
  • What are the principals Privacy Shield is based on?
  • How does it affect my business?
    • From the perspective of U.S. companies, the framework has tightened restrictions on forwarding Europeans’ personal data to other companies. In the technology sector in particular this is going to require a lot more attentiveness on the part of those directly serving Europeans. The companies serving the customers will remain responsible for their personal data, even if the work is outsourced by subcontractors. Companies on the Privacy Shield register will also have to pledge to not collect more personal information that what they need for the purposes of their service.
  • When can we certify with Privacy Shield?
    • Going forward the Privacy Shield framework will be published in the US Federal Register. Once US companies have had an opportunity to review the framework and update their compliance, they will be able to certify with the US Department of Commerce starting August, 1st 2016. Companies should also assess Privacy Shield’s impact on their EU-U.S. data transfer strategy. In particular, there is a limited “grace period” available in that companies who self-certify within two months of Privacy Shield’s effective date will be given a nine month transitional period to address relationships with third parties.
  • Will it cost me to certify?
    • The total cost estimates are still unknown but costs will depend on your business size and a fee charged by your independent dispute resolution organization.
  • Does the recently announced “Brexit” (British exit from the EU) impact the new framework?
    • No, Brexit will have no immediate impact on Privacy Shield. The exit is expected to take at least two years minimum to fully occur and if changes happen within that timeframe, we will be sure to let you know.
  • Should I seek legal counsel?
    • Privacy Shield will be complex; we strongly recommend consulting legal counsel with international privacy law expertise.  If you would like to discuss Privacy Shield in greater detail and/or the specific impact on your company feel free to contact us any time.

For more information regarding the Privacy Shield framework please see the US International Trade Administration’s press release. Also, the US Department of Commerce has issued a “Fact Sheet” overview of the EU-US Privacy Shield Framework it can be viewed here.

EU-US Privacy Shield(Note: This article is an update on our first article about Privacy Shield posted in the February  2016 edition of GZ News.)

~by Paul Harris, Marketing Director

On July, 12th 2016 the European Commission (EC) adopted the new EU-U.S. Privacy Shield. The new Privacy Shield framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States, as well as bringing legal clarity for businesses relying on transatlantic data transfers.

Global-Z CEO and Co-Founder Dimitri Garder said: “In the upcoming weeks and months we will update our clients and partners regarding how the new Privacy Shield framework will impact our global data processing solutions.”

According the press release issued by the European Commission, EU-U.S. Privacy Shield is based on the following principles:

  • Strong obligations on companies handling data. The U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure they follow the rules they submitted themselves to. If companies do not comply with them, they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access. The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement. The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State.
  • Effective protection of individual rights: Any EU citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.
  • Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. The Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.

Next steps: Privacy Shield framework will be published in the US Federal Register. The U.S. Department of Commerce will start operating the Privacy Shield. Once US companies have had an opportunity to review the framework and update their compliance, companies will be able to certify with the Commerce Department starting August 1st. Companies should assess Privacy Shield’s impact on their EU-U.S. data transfer strategy. In particular, there is a limited “grace period” available in that companies that self-certify within two months of Privacy Shield’s effective date will be given a nine month transitional period to address relationships with third parties.

Please see the US International Trade Administration’s press release for additional information.