Companies receiving, either directly or through third parties, personal data from Europe will need to comply with the new requirements. Many companies may have already adopted Safe Harbor provisions, but these are no longer valid protections. When considering whether this applies to your company, evaluate all data and information that your company currently receives, stores, accesses, or handles in any way. Learn More

Legal Update

Our Strength Comes From the Shield! – The Privacy Shield that is…

The first thing that comes to my mind when you hear the words “Privacy Shield” is that there is some new marvel comic or superhero movie out in the theater.  Just as Captain America’s Shield protects him from bullets and flying debris, a privacy shield provides protection to personal and sensitive data.

Protection of data while it is moving is a difficult task if a company does not have the proper transfer mechanism in place.  It becomes even more of a challenge when dealing with transfers from the EU to the US.   Up until recently, the “gold standard” transfer mechanism to move data was the Safe Harbor framework.  As the Safe Harbor framework was in fact the gold standard, only a handful of US companies used it.  It was very costly and also required that a company certify annually that it complied with certain privacy principles consistent with European law.

On October 6, 2015, the European Court of Justice issued a judgment declaring invalid the European Commission’s July 26, 2000 decision on the legal adequacy of Safe Harbor.  The European Court of Justice has ruled that the “safe harbor” agreement that allowed the transfer of European citizens’ data to the US is no longer valid. This caused many companies to panic especially if they were using the Safe Harbor framework.  Companies needed to look for other mechanisms to transfer data out of the EU to the US.  Model Clauses, Binding Corporate Rules and other options were available to use, however given that the gold standard was struck down, there was no guarantee that these methods would not also be challenged.

It took six months, and on February 29, 2016, the Department of Commerce and the European Commission publicly released the EU – U.S. Privacy Shield Framework. This Framework, which replaces the Safe Harbor program, will provide a legal mechanism for companies to transfer personal data from the EU to the United States. It will be enforced by the FTC. The Privacy Shield is designed to provide companies on both sides of the Atlantic with a method to comply with the EU data protection requirements when transferring personal data from the EU to US in support of transatlantic commerce. Federal Trade Commission

What are the requirements for a company that wishes to use the Privacy Shield?

  • US based company
  • Required to self-certify to Department of Commerce
  • Publicize commitment to adhere to the Privacy Shield Principals
  • Must publicly disclose Privacy Policy
  • Must actually implement the principles
  • Must provide a detailed description of activities involving EU residents’ personal data and its related privacy policies.
  • Must be signed by a corporate officer
  • Make arbitration available for disputes

All data subjects must be providedwith a declaration of the company’s participation in the Privacy Shield program, a statement of right of access to their personal data, and the identification of the arbitration forum for disputes.

Under the Privacy Shield, companies are still committed to the highest level of protection of the data they collect, handle and transfer. They want the best for their customers, consumers, clients, vendors and employees.

There are six key principles to which any company which handles personal data should adhere – regardless of whether they transfer data from the EU to the US:

  • Inform individuals on how their data is collect, shared and stored – through the Privacy Notice/Privacy Policy
  • Only collect what is absolutely necessary for business purposes and allowed by law
  • Ensure accountability for how data is transferred and handled
  • Be transparent with actions and stick to privacy commitments made to consumers, customers, clients, vendors and employees
  • Cooperate with enforcement agencies
  • Keep good records

For more information about complying with these new rules, please contact Virtual Paralegal Services.