Want your business to be recognized as Privacy Shield Certified ?
What is GDPR?
General Data Protection Regulation (GDPR) is a set of laws on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA).
GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws.
EU does not list the US as one of the countries that meets the GDPR requirement and hence Privacy Shield Framework were design
Privacy Shield Overview:
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law. On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S.
Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States
Privacy Shield Benefits:
The Privacy Shield provides many important benefits to U.S.-based organizations, as well as their partners in Europe. These include:
- Participating organizations are deemed to provide “adequate” privacy protection, a requirement (subject to limited derogations) for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR) and outside of Switzerland under the Swiss Federal Act on Data Protection;
- EU Member State requirements for prior approval of data transfers either are waived or approval will be automatically granted; and
- Compliance requirements are clearly laid out and cost-effective, which should particularly benefit small and medium-sized enterprises..
What do the Privacy Shield Principles Required?
a. An organization must inform individuals about:
- i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
- ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
- iii. its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield,
- iv. the purposes for which it collects and uses personal information about them,
- v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints,
- vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
- vii. the right of individuals to access their personal data,
- viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
- ix. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,
- x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body,
- xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,
- xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
- xiii. its liability in cases of onward transfers to third parties.
b. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.
a. An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice.
b. By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agent.
c. For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.
a. To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.
b. To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
a. Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
a. Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing.2 An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information.
b. Information may be retained in a form identifying or making identifiable3 the individual only for as long as it serves a purpose of processing within the meaning of 5a. This obligation does not prevent organizations from processing personal information for longer periods for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis. In these cases, such processing shall be subject to the other Principles and provisions of the Framework. Organizations should take reasonable and appropriate measures in complying with this provision.
*****
2. Depending on the circumstances, examples of compatible processing purposes may include those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
3. In this context, if, given the means of identification reasonably likely to be used (considering, among other things, the costs of and the amount of time required for identification and the available technology at the time of the processing) and the form in which the data is retained, an individual could reasonably be identified by the organization, or a third party if it would have access to the data, then the individual is “identifiable.”
a. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
a. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include:
- i. readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide;
- ii. follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and
- iii. obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.
b. Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints.
c. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I.
d. In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
e. When an organization becomes subject to an FTC or court order based on non-compliance, the organization shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions.
Complete list of Privacy Shield Principles and Supplemental Principles are available at Privacy Shield Website
How we can assist your organization to comply with Privacy Shield Requirements
- We will review Privacy Shield Framework requirements with you to determine if it is a right solution for your business
- We will assist you in developing a privacy policy that meets the Privacy Shield principles. We will do so by
- Analyzing the inflow of the data in your organization, Data Usage, and the data that you share with third parties outside of your organization.
- Help determine who to give the notices and when.
- Once it is in place, we will make sure that the notices are drafted accurately and are given at all appropriate times and places.
- Opt/in and Opt/out
- Onward Transfer
- Access
- Security of personal Information
- Data Integrity
- Enforcement
- Assessment
- Training
- We will provide technical assistance and educational materials to assist you throughout the process for understanding and meeting the Privacy Shield requirements. We stand ready to assist your organization in:
- Meeting the US Department of Commerce’s registration requirements for Privacy Shield
- Developing required processes/procedures for your organization.
- Suggesting an independent third-party dispute resolution mechanism, and
- Addressing any other questions or concerns your company has regarding the safe harbor process.
A privacy policy adhering to the Privacy Shield principles will indicate that your organization places great value on data privacy protection and will make every effort to respect Europeans’ and/or Swiss’ requests regarding use of their personal information.