There are new Privacy Shield principles because the final Privacy Shield was approved by the US and EU delegations on the 12 July 2016. This is an extremely important development in the area of digital commerce and has a far reaching impact for anyone involved in the transfer of personal data between the EU and US. This new Privacy Shield will take the place of the old Safe Harbor agreement and brings with it new Privacy Shield principles issues by the U.S. Department of Commerce.
What is the Privacy Shield?
The Privacy Shield is not an international agreement, treaty or law. It’s a voluntary set of privacy principles that US companies can publicly commit to follow. The privacy principles consist of robust monitoring mechanisms, enforcement and accountability.
In essence, the Safe Harbor agreement was declared invalid because the EU governments could not guarantee the safe transport of EU citizens’ data to the US and that it was free from interference by national intelligence agencies. The Privacy Shield addresses these concerns with the GDPR requirements in mind in order to facilitate safe transport of personal data between the EU and US.
The Privacy Shield is the new Safe Harbor agreement
The Privacy Shield Principles
- New obligations for handling and onward transfers
- One of the most important Privacy Shield principles is that a company may only keep data for as long as it serves the purpose that it was collected.
- Signing up to the Privacy Shield principles and participating in the agreement is now a wholly transparent process. The process has effective supervision mechanisms so if companies do not comply with the Privacy Shield principles they will face sanctions and removal from the Privacy Shield list. This could lead to severe reputational damage for companies.
- In terms of onward transfers, if a company signs up to the Privacy Shield principles then they must provide the same level of protection for any onward transfers of personal data.
- If the onward transfer is being handled by a third party, that third party must inform the Privacy Shield company when it is no longer able to ensure the appropriate level of data protection. The Privacy Shield company will have to take appropriate measures to ensure the appropriate level of protection. This is a higher level of accountability than what was required by the Safe Harbor agreement.
- Restrictions on US government access to personal data
- The US Director of National Intelligence has made a written commitment stating that there will not be indiscriminate mass surveillance on data transferred under the Privacy Shield.
- Bulk collection of data can only be used based on specific preconditions. In order to ensure compliance and deal with complaints, the Privacy Shield establishes an ombud who is entirely independent from national security agencies.
- If there is a complaint from an individual the role of the ombud will be to tell the individual if the entity in question has complied with the laws. If the entity has not complied with the laws, the ombudsman must ensure compliance.
- New dispute resolution mechanisms
- Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms, including alternative dispute resolution.
- Individuals can complain to the EU Data Protection Authorities who will channel complaints to the US Department of Commerce and Federal Trade Commission and pursue those complaints to ensure they get investigated and resolved.
- Including in these redress mechanisms, there will also be an annual joint review mechanism with stakeholders on both sides of the Atlantic.
Why should companies register for the Privacy Shield?
Companies should sign-up to the Privacy Shield principles because it facilitates a strong, durable and reasonable framework for digital transfers across the Atlantic. Furthermore, the Privacy Shield has been designed to be flexible and accommodate the rapid changes in the digital economy.
The effective date for the Privacy Shield is 1 August 2016. Companies who register within the first 2 months of the effective date will have 9 months from their date of certification to bring contracts into compliance.
We’ve read the Privacy Shield principles so you don’t have to and created this summary. If you would like to know more about the Privacy Shield principles and how they affect your business then contact us.