What are the EU-U.S. Privacy Shield Principles?

With the EU-U.S. Privacy Shield, the United States and the European Union share the goal of improving the privacy of citizens’ sensitive information. However, what makes the framework necessary is that each has a differing approach on how to manage the protection of information. The EU-U.S. Privacy Shield Framework exists in order to provide consistent, reliable mechanisms for the transfer of personal data between the United States and the European Union. The goal of this program is to continue to foster, promote and develop international commerce between Europe and the United States.

Read More: An Overview of the Privacy Shield Framework

In order to enter into the EU-U.S. Privacy Shield, an organization must self-certify adherence to the Principles to the Department of Commerce. Entering into the Privacy Shield is a voluntary process, but once self-certified, organizations publicly commit their adherence to the Principles. Once this happens, organizations must:

  1. Be subjected to regulation from the Federal Trade Commission, Department of Transportation and other regulatory bodies that will ensure compliance with the Principles.
  2. Publicly declare commitment to comply with the Principles.
  3. Publicly disclose privacy policies in line with these Principles.
  4. Fully implement the Principles.

The 7 Privacy Shield Principles

  1. Notice

Notice is the idea that an organization must inform individuals about items relevant to them. It is one of the most extensive requirements, that details a variety of different notice requirements including informing individuals on how to contact the organization with complaints or inquiries, releasing the types of personal data that is collected and how it is used, and the rights of individuals to access said information.

The idea behind notice is to inform individuals of their rights in regard to better understanding the standards that an organization must adhere to.

  1. Choice

An organization must provide an opt-out policy for individuals in the event that the information is going to be disclosed to a third party or to be used for a purpose that differs from the original collection. When dealing with sensitive information, an opt-in policy must be provided for individuals prior to the disclosure of information.

  1. Accountability for Onward Transfer

In the event that sensitive information is transferred, organizations must comply with the Notice and Choice principles to transfer information to a third party organization. In order to transfer the information, organizations must:

  • Transfer only relevant data.
  • Be certain that the agent is obligated to provide the same protection as is required by the principles, regardless of their own involvement in the Privacy Shield agreement.
  • Take steps to ensure the data is transferred consistently with the Principles.
  • Remediate and/or stop any unauthorized processing.
  • Provide a summary of its contract with the agent to the Department if requested.
  1. Security

Organizations creating, maintaining, using, or disseminating personal information must take steps to ensure its security.

  1. Data Integrity and Purpose Limitation

Information should only be collected if it is relevant to the purpose of processing.

  1. Access

Individuals must be able to access and edit information that an organization has collected about them, and delete said information if it is inaccurate.

  1. Recourse, Enforcement, and Liability

In order to effectively protect information, an organization must have mechanisms to ensure compliance with the principles. For instances of non-compliance, recourse must be made available. Minimum mechanisms include:

  • Readily available independent recourse mechanisms for complaints and disputes. These are investigated at no cost to the afflicted individual.
  • Follow-up procedures for verifying compliance.
  • The ability to remedy problems to ensure compliance.
  • Organizations and their recourse mechanism must respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield.
  • Organization must arbitrate claims.
  • A Privacy Shield organization has the responsibility for processing the personal information it receives under the Privacy Shield, and the subsequent transfer to a third-party organization.

It is important to fully understand the principles and ensure that they are in place prior to self-certification because organizations can be removed from the Privacy Shield list if they are found to be not in compliance with the principles.

Is your organization looking for guidance in implementing policies and procedures that adhere to the EU-U.S. Privacy Shield Framework? Contact A-LIGN today for immediate assistance at [email protected] or 1-888-702-5446.