The information presented in this overview is not intended to provide any legal advice. Privacy laws around the world regarding personal data vary and can be open to interpretation. Consult your legal counsel for specific information regarding sending email into specific countries or regions.
EU-US Privacy Shield
The EU-US Privacy Shield is a legal framework created by the U.S. Department of Commerce and the European Commission for the transfer and protection of personal data. It replaces the Safe Harbour framework which was declared invalid by the European Court of Justice in October, 2015.
Privacy Shield requires companies in the U.S. to better protect the personal data for individuals in the European Union and requires that U.S. companies self-certify annually that they meet the requirements.
Participation is optional, but companies that make the commitment to comply with the requirements agree that the rules are enforceable under U.S. law. Companies interested in complying with Privacy Shield should review all requirements prior to self-certifying.
Certifying to Privacy Shield means, among other specifics, compliance with seven core principles. To view the complete list of core and supplemental principles, and to self-certify, visit the EU-US Privacy Shield website.
- Notice: Informing individuals about participation, disclosing the types and purpose of data collected and how the data will be used.
- Choice: Allowing individuals to opt-out of the disclosure and sharing of personal data with a third party.
- Accountability for Onward Transfer: Ensuring that privacy and protection requirements are followed when transferred through a third party.
- Security: Keeping data secure from misuse and unauthorized access.
- Data Integrity and Purpose Limitation: Ensuring data is used for its intended purpose based on how it was collected and the consent given by the individual.
- Access: Providing individuals the ability to access, edit or delete their personal information.
- Recourse, Enforcement and Liability: Ensuring mechanisms are in place to ensure individuals have recourse if the company does not comply with the Privacy Shield directives.
What are some of the key differences between Privacy Shield and Safe Harbor?
- Stronger obligations on companies handling data.
- Companies are required to appoint a Data Protection Officer (DPO) who will provide people a mechanism for their “right to be forgotten”.
- Breaches of personal data must be reported within 72 hours of discovery.
- Data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipients will provide the same level of protection as the Privacy Shield principles (Heightened Onward Transfer Requirements).
- Privacy Shield requires organizations to provide an independent recourse mechanism (for example the DMA or TRUSTe) that will investigate and resolve complaints and disputes at no cost to the individual.
- Participating organizations are subjected to additional compliance and reporting obligations, some of which will continue even after withdrawal from the Privacy Shield. As was required under the Safe Harbor, organizations must re-certify their compliance on an annual basis. In addition, Privacy Shield organizations are required to maintain records regarding the implementation of their privacy program and provide them to regulators upon request.