Privacy Shield: 8 Things You Need to Know

21 November, 2017

US-EU privacy shield.pngWhat is the EU-US Privacy Shield?

The United States and the European Union have always enjoyed strong commercial ties. Necessary to that transatlantic relationship, especially in today’s global economy, is the transfer of records that contain personal data on customers and clients. This data might include names, phone numbers, birth dates, home and email addresses, credit card numbers, national insurance or employee numbers, login names, gender, marital status, or any other kind of information that makes it possible to identify an individual.

For instance, personal data might be collected in the EU by a branch or a business partner of an American company, which then uses that data in the US. This could be the case when a consumer buys goods or services online, uses social media or cloud storage services, or if they are an employee of an EU-based company that uses a company in the U.S. (e.g. the parent company) to deal with personal data. In these cases, EU law requires that when personal data are transferred to the US they continue to benefit from a high level of protection.

This is where the EU-US Privacy Shield comes in. The Privacy Shield allows personal data to be transferred from the EU to a company in the United States, provided that the company there processes (e.g. uses, stores and further transfers) that personal data according to a strong set of data protection rules and safeguards. The protection given to that personal data applies regardless of whether that person is an EU citizen or not.

document transfer.jpgHow does the Privacy Shield work?

There are a variety of ways to mandate how the transfer personal data from the EU to the US takes place, such as contractual clauses, binding corporate rules, and the Privacy Shield. If the Privacy Shield is used, US companies must first “self-certify” with the US Department of Commerce. The obligation applying to companies under the Privacy Shield is contained in the “Privacy Principles.” This Department is responsible for managing and administering the Privacy Shield and ensuring that companies live up to their commitments. In order to be able to certify, companies must have a privacy policy in line with the Privacy Principles and they must renew their “membership” to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU under that framework.

Companies in the US that are Privacy Shield certified are listed on the Department of Commerce’s website. This list provides details on all the companies taking part in the Privacy Shield, the kind of personal data they use, and the kind of services they offer. These companies can only maintain personal data if they commit to the Department of Commerce that they will continue to apply the Privacy Principles on an ongoing basis.

The Privacy Shield obligates certified companies to protect personal data by adhering to the following 8 Privacy Principles:

1. AN INDIVIDUAL'S RIGHT TO BE INFORMED

A Privacy Shield company must inform its record owners about:

  • The types of personal data it processes
  • The reasons it processes personal data
  • If it intends to transfer personal data to another company and the reasons why
  • An individual’s right to ask the company to access their personal data
  • A person’s right to choose whether to allow a company to use their personal data in a “materially different” way or to disclose it to another company (also known as the right to “opt-out”). When the data are sensitive, (that is, data that reveal, for example, a person’s ethnic origin or the state of their health) the Privacy Shield company has to inform that person about the fact that it may only use or disclose such data if the individuals consents (also known as the right to “opt-in”)
  • How an individual can contact the company if they have a complaint about the use of their personal data
  • The independent dispute resolution body, either in the EU or the US, where a record owner can bring their case
  • The government agency in the US that is responsible for investigating and enforcing the company’s obligations under the framework
  • The transparency that it may have to respond to lawful requests from US public authorities to disclose information about the record owner

Further, the Privacy Shield company must provide its record owners with a link to its privacy policy if it has a public website or where it can be accessed in the case that it does not have a public website. It must also provide record owners with a link to the Privacy Shield List on the Department of Commerce website so they can easily check the Privacy Shield status of the company.

2. LIMITATIONS ON THE USE OF YOUR DATA FOR DIFFERENT PURPOSES

A Privacy Shield company can only use your personal data for the purpose for which it was originally collected or for a purpose you have subsequently authorized. If the company wants to use your data for a purpose divergent from its original purpose, several guidelines apply:

  • Using your data for a purpose that is incompatible with the original purpose is never allowed
  • If the new purpose is different but related to the original purpose (i.e. “materially different”), the Privacy Shield company may only use your data if you do not object or, in the case of sensitive data, if you consent
  • If the new purpose is different from the original one but still close enough that it would not be considered as materially different, such use is permissible.

For instance, if your employer has transferred your personal data to the US for processing, the US company might be allowed to use these data to offer you an insurance policy or pension scheme, as long as you do not object to such use. Conversely, it may not sell your data to a third party merchant for the purpose of offering you goods or services that have no relationship with your employment.

You also have a right to choose whether you allow a Privacy Shield company to pass on your personal data to another company, whether in the US or in another non-EU country. While you do not have such a choice when your data will be sent to another company (also known as an “agent”) for processing on behalf, in the name and under the instructions of the Privacy Shield company, the Privacy Shield company will have to sign a contract with the agent that obliges the latter to provide the same data protection safeguards as contained in the Privacy Shield framework. The Privacy Shield company can be held liable for its agent’s actions if the agent does not respect the rules.

3. DATA MINIMIZATION AND THE OBLIGATION TO KEEP DATA ONLY FOR THE TIME NEEDED

The Privacy Shield company may only receive and process personal data to the extent they are relevant for the purpose of processing, and it has to ensure that the data used is accurate, reliable, complete and up to date. It is only allowed to keep your personal data for as long as necessary for the purpose of processing. It may keep your data for longer periods only if it needs them for certain specified purposes such as archiving in the public interest, journalism, literature, and art, scientific or historical research, or for statistical analysis. If your data continue to be processed for these purposes, the company must, of course, comply with the Privacy Principles.

data-security-for-hotels.jpg4. OBLIGATION TO SECURE DATA

The company must ensure that personal data are kept in a safe environment and secured against loss, misuse, unauthorized access, disclosure, alteration or destruction, taking due account of the nature of the data and the risks involved in the processing.

5. OBLIGATION TO PROTECT DATA IF TRANSFERRED TO ANOTHER COMPANY

If a Privacy Shield company transfers records to another company the company that receives the data must ensure the same level of protection of the personal data as guaranteed under the Privacy Shield framework. This requires a contract between the Privacy Shield company and the third party setting out the conditions under which the third party can use the personal data and its responsibilities to protect the data. This contract requires the third party to inform the Privacy Shield company of situations where it cannot continue to meet its obligations, in which case it must stop using the data. Stricter rules apply where a third party is acting as an agent on behalf of a Privacy Shield company. Here, the Privacy Shield company can be held liable for the actions of an agent that do not follow its obligations to protect personal data.

6. THE RIGHT TO ACCESS AND CORRECT DATA

Individuals have the right to ask the Privacy Shield company for access to their personal data. This includes the right to have personal data communicated to the individual as well as information about the purpose for which the data are processed, the categories of personal data concerned and the recipients to whom the data are disclosed. The individual can then request that the company corrects, changes or deletes records if they are not accurate, if they’re outdated or if they have been processed in violation of the Privacy Shield rules.

7. THE RIGHT TO LODGE A COMPLAINT AND OBTAIN A REMEDY

If the company does not follow the rules of the Privacy Shield and violates its obligation to protect an individual’s personal data, that individual has the right to complain and obtain a remedy, free of any cost. Privacy Shield companies are obliged to provide an independent recourse mechanism to investigate unresolved complaints. For instance, they can choose alternative dispute resolution (ADR) or submit to the oversight of a national Data Protection Authority (DPA).

Consequently, individuals have several possibilities to lodge a complaint, namely with the:

  1. US Privacy Shield company itself
  2. Independent recourse mechanisms, such as ADR or DPA
  3. US Department of Commerce, only through a DPA
  4. US Federal Trade Commission (or the U.S. Department of Transportation if complaint relates to an airline or ticket agent)
  5. Privacy Shield Panel (only after certain other redress options have failed)

8. REDRESS IN CASE OF ACCESS BY US PUBLIC AUTHORITIES

Finally, the protection of personal data may also be affected by US public authorities when they access that data. The Privacy Shield ensures that this will occur only to the extent necessary for pursuing a public interest objective such as national security or law enforcement. While existing US law provides individuals with protections and remedies in the law enforcement area, the Privacy Shield framework for the first time creates a special instrument to address national security access, the so-called Ombudsperson mechanism.

ShareVault has been previously compliant with the EU requirements starting with the Safe Harbor certification. We are now also Privacy Shield certified for all our EU customers and our customer's EU users. To see the ShareVault listing in the global Privacy Shield registry, click here.

The Seven Habits of Highly Effective Data Rooms

View More

Popular Posts

About the Author

Phillip Bandy is ShareVault’s chief information security officer (CISO) and is responsible for establishing security standards and controls, guiding the implementation of security technologies, and managing the establishment and implementation of security policies and procedures. He is an expert in computer incident response and has implemented computer security controls for NASA’s Mission Control.

Stay up to date on the latest industry tips and advice