On May 25, 2018, the General Data Protection Regulation (GDPR), aimed at enacting strong consumer protection laws, was enforced. “GDPR: One Month Post Enforcement”
With the EU-U.S. Privacy Shield, the United States and the European Union share the goal of improving the privacy of citizens’ sensitive information. However, what makes the framework necessary is that each has a differing approach on how to manage the protection of information. The EU-U.S. Privacy Shield Framework exists in order to provide consistent, reliable mechanisms for the transfer of personal data between the United States and the European Union. The goal of this program is to continue to foster, promote and develop international commerce between Europe and the United States.
In order to enter into the EU-U.S. Privacy Shield, an organization must self-certify adherence to the Principles to the Department of Commerce. Entering into the Privacy Shield is a voluntary process, but once self-certified, organizations publicly commit their adherence to the Principles. Once this happens, organizations must:
- Be subjected to regulation from the Federal Trade Commission, Department of Transportation and other regulatory bodies that will ensure compliance with the Principles.
- Publicly declare commitment to comply with the Principles.
- Publicly disclose privacy policies in line with these Principles.
- Fully implement the Principles.
The 7 Privacy Shield Principles
Notice is the idea that an organization must inform individuals about items relevant to them. It is one of the most extensive requirements, that details a variety of different notice requirements including informing individuals on how to contact the organization with complaints or inquiries, releasing the types of personal data that is collected and how it is used, and the rights of individuals to access said information.
The idea behind notice is to inform individuals of their rights in regard to better understanding the standards that an organization must adhere to.
An organization must provide an opt-out policy for individuals in the event that the information is going to be disclosed to a third party or to be used for a purpose that differs from the original collection. When dealing with sensitive information, an opt-in policy must be provided for individuals prior to the disclosure of information.
- Accountability for Onward Transfer
In the event that sensitive information is transferred, organizations must comply with the Notice and Choice principles to transfer information to a third party organization. In order to transfer the information, organizations must:
- Transfer only relevant data.
- Be certain that the agent is obligated to provide the same protection as is required by the principles, regardless of their own involvement in the Privacy Shield agreement.
- Take steps to ensure the data is transferred consistently with the Principles.
- Remediate and/or stop any unauthorized processing.
- Provide a summary of its contract with the agent to the Department if requested.
Organizations creating, maintaining, using, or disseminating personal information must take steps to ensure its security.
- Data Integrity and Purpose Limitation
Information should only be collected if it is relevant to the purpose of processing.
Individuals must be able to access and edit information that an organization has collected about them, and delete said information if it is inaccurate.
- Recourse, Enforcement, and Liability
In order to effectively protect information, an organization must have mechanisms to ensure compliance with the principles. For instances of non-compliance, recourse must be made available. Minimum mechanisms include:
- Readily available independent recourse mechanisms for complaints and disputes. These are investigated at no cost to the afflicted individual.
- Follow-up procedures for verifying compliance.
- The ability to remedy problems to ensure compliance.
- Organizations and their recourse mechanism must respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield.
- Organization must arbitrate claims.
- A Privacy Shield organization has the responsibility for processing the personal information it receives under the Privacy Shield, and the subsequent transfer to a third-party organization.
It is important to fully understand the principles and ensure that they are in place prior to self-certification because organizations can be removed from the Privacy Shield list if they are found to be not in compliance with the principles.
Is your organization looking for guidance in implementing policies and procedures that adhere to the EU-U.S. Privacy Shield Framework? Contact A-LIGN today for immediate assistance at [email protected] or 1-888-702-5446.
Privacy Shield Framework
The EU – U.S. Privacy Shield Framework was designed in conjunction with the U.S. Department of Commerce and European Commission to provide European and US companies a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the U.S. when engaging in transatlantic commerce.
For U.S.-based organizations interested in joining the Privacy Shield Framework, they will be required to self-certify to the Department of Commerce, with August 1st marking the date when applications open for eligible organizations.
Self- Certification Process
An organization must confirm participation in Privacy Shield on an annual basis. Any organization under the jurisdiction of the U.S. Federal Trade Commission (FTC) or Department of Transportation (DOT) may participate. In order to self-certify, organizations must do the following:
- Identify the organization’s independent recourse mechanism available to investigate unresolved complaints: The recourse mechanism must be registered with, as necessary, and be in place prior to self-certification. A private sector dispute program can be used as the independent recourse mechanism. This must be available at no cost to the individual.
- Organizations can comply with the EU data protection authority (DPA) instead, but then the DPA must be adhered to with respect to all data:
- If the organization’s self-certification will cover human resource data (for example, personal information about employees, current and former) then the organization must comply with the EU DPA’s related to such data.
- Ensure organization’s verification process is in place: The organization can use a self-certification program or a third-party assessment program.
- Designate an individual within the organization who is responsible for addressing questions, complaints, access requests, and other issues that may arise: This individual can be a corporate officer or another official within the organization, and they must respond to all requests within 45 days of a complaint.
As a whole, Privacy Shield imposes more obligations in regard to data protection and privacy than what existed under the Safe Harbor framework. Due to the heightened standards, organizations that intend to certify should consider reviewing their existing policies and procedures, specifically those regarding notice, choice, access, onward transfers, and recourse, to ensure that they fit into the Framework.