Just as Captain America’s shield protects him from bullets and flying debris, a privacy shield provides protection to personal and sensitive data. Data protection is a difficult task, especially when data is being transferred. If a company does not have the proper mechanism in place, trouble can ensue. For example, when dealing with transfers from Europe (EU) to the U.S. (US), data protection can be tricky. Up until recently, the “gold standard” transfer mechanism to move data was the Safe Harbor framework, but only a handful of US. companies have used it. Why? It was costly and required that a company certify annually that it complied with certain privacy principles consistent with European law.
On October 6, 2015, the European Court of Justice issued a judgment declaring invalid the European Commission’s July 26, 2000 decision on the legal adequacy of Safe Harbor. The European Court of Justice has ruled that the “safe harbor” agreement that allowed the transfer of European citizens’ data to the US. is no longer valid. This caused many companies to panic especially if they were using the Safe Harbor framework. Companies needed to look for other mechanisms to transfer data out of the EU to the US. Model clauses, binding corporate rules and other options were available to use, however given that the gold standard was struck down, there was no guarantee that these methods would not also be challenged.
Enter the Privacy Shield
It took six months, and on February 29, 2016, the Department of Commerce and the European Commission publicly released the EU-US Privacy Shield Framework. This framework, which replaces the Safe Harbor program, provides a legal mechanism for companies to transfer personal data from the EU to the US. It will be enforced by the Federal Trade Commission (FTC). The Privacy Shield is designed to provide companies on both sides of the Atlantic with a method to comply with the EU data protection requirements when transferring personal data from the EU to US in support of transatlantic commerce.
What are the requirements for a company to use the Privacy Shield?
- U.S.-based company
- Required to self-certify to Department of Commerce
- Publicize commitment to adhere to the Privacy Shield Principals
- Must actually implement the principles
- Must provide a detailed description of activities involving EU residents’ personal data and its related privacy policies.
- Must be signed by a corporate officer
- Make arbitration available for disputes
- All data subjects must be provided with a declaration of the company’s participation in the Privacy Shield program, a statement of right of access to their personal data, and the identification of the arbitration forum for disputes.
Under the Privacy Shield, companies are still committed to the highest level of protection of the data they collect, handle and transfer. They want the best for their customers, consumers, clients, vendors and employees.
There are six key principles that any company which handles personal data should adhere to whether or not they transfer data from the EU to the US. They are:
- Only collect what is absolutely necessary for business purposes and allowed by law
- Ensure accountability for how data is transferred and handled
- Be transparent with actions and stick to privacy commitments made to consumers, customers, clients, vendors and employees
- Cooperate with enforcement agencies
- Keep good records
For more information about complying with these new rules, please contact Virtual Paralegal Services.