Aug 30, 201611:32 AMLegal Login
with Mindi Giftos and Andrew Schlidt
Should my company self-certify under the EU–US privacy shield?
(page 1 of 2)
In the European Union, personal data may be collected only under strict conditions and for legitimate purposes. The United States, on the other hand, does not have an overarching federal law regulating the collection and transfer of personal data. For many years companies could rely upon the U.S.–EU Safe Harbor to lawfully make transatlantic data transfers and bridge the gap between the differing privacy frameworks.
However, in October 2015 the EU Court of Justice invalidated the U.S.–EU Safe Harbor on the grounds that it did not adequately protect personal data. This ruling jeopardized the continued flow of data from the EU to the United States and left many companies wondering how they could continue collecting and using data from the EU without violating the law.
One mechanism designed to resolve this issue is the EU–U.S. Privacy Shield Framework, which was approved and launched on July 12, 2016. The Privacy Shield is designed to protect the rights of individuals in the EU whose personal data is transferred to the United States, and to bring clarity to businesses who rely on transatlantic data transfers. The Privacy Shield includes:
- Strong data protection obligations on companies that collect and transfer the personal data of EU citizens;
- Clear safeguards and obligations of transparency for U.S. government agency access to personal data;
- New redress and complaint mechanisms for EU citizens; and
- Annual joint review to continually monitor implementation of Privacy Shield requirements.
Beginning on Aug. 1, 2016, companies may self-certify with the U.S. Department of Commerce that they meet the requirements of the Privacy Shield. The self-certification process requires a company to make two commitments: (1) that it will adhere to the Privacy Shield Principles; and (2) it will publicly declare its commitment to comply with the Privacy Shield.
What are the principles?
The Privacy Shield requires companies to adhere to the following principles:
- Notice. Companies must provide clear notice to individuals of what their practices are, what individuals’ rights are, and how they can enforce and redress their rights. For example, companies must inform individuals that it has committed to adhere to the Privacy Shield and provide a link to or the web address for the Privacy Shield List. They must also clearly identify the types of personal information they collect, the purposes for which information is collected, and to whom data may be transferred. In addition, companies must inform individuals of their rights to redress, how to contact the company for information or complaints, what choices they have for limiting use and collection of data, and how they can invoke their right to arbitration.
- Security. Organizations must take reasonable and appropriate measures to protect against loss, misuse, and unauthorized access and disclosure of the personal data.
- Data integrity and purpose limitation. Companies must use personal information only for the purpose for which it was collected and processed.
- Choice. Companies must offer individuals the clear, conspicuous, and readily available mechanisms to exercise choice as to how and whether their personal information may be collected and used.
- Access. Individuals must have the right and opportunity to access personal information collected about them and to correct, amend, or delete that information if it is inaccurate or was collected in violation of the principles. There are exceptions if the burden or expense of providing access is disproportionate to the risk of violating the individual’s privacy, or where access may violate the privacy rights of others.
- Accountability for onward transfers. Companies are restricted on whom and under what circumstances they may transfer personal information. For example, if information is transferred to a third party, it may be only for limited and specified purposes, and only under contractual provisions that have the same obligations set forth in the Privacy Shield.
- Recourse, enforcement, and liability. Individuals must have recourse for violations of the principles. The certification process allows the U.S. Department of Commerce and Federal Trade Commission the right to actively monitor and enforce compliance. There are also clear limitations, safeguards, and oversight mechanisms to protect individuals from access to their information by U.S. government agencies.