The European Commission on Feb. 29 proposed the Privacy Shield framework, which would govern trans-Atlantic data transfers and replace the Safe Harbor agreement. Safe Harbor had allowed for the free flow of EU residents’ personal data between self-certified businesses in the EU and the U.S., but was invalidated by an October 2015 ruling from the Court of Justice of the European Union.
The European Commission developed the new proposal with the U.S. Commerce Department.
Obligations of self-certified businesses* under the proposed Privacy Shield
||Obligations of Businesses
||Provide information to data subjects on key elements of processing, including type of data processed, purpose of processing, and rights of access.
||Obtain express consent (opt-in) from data subjects to process sensitive data; data subjects may object to their data being disclosed to third parties and businesses, and may opt out of direct marketing at any time.
||Take reasonable and appropriate security measures when processing personal data.
|Data integrity and purpose limitation
||Ensure that personal data is limited to what is relevant for the purposes of the processing and is reliable, accurate, complete, and current.
||Preserve the rights of data subjects to obtain confirmation that the business is processing personal data related to them and to have that data communicated to them.
|Accountability for onward transfer
||Transfer data to third parties only for limited and specified purposes, on the basis of a contract or comparable arrangement, and only if the contract provides protection as guaranteed by the privacy principles.
|Recourse, enforcement, and liabilities
||Recertify participation in the Privacy Shield annually, and put in place an effective redress mechanism for complaints.
How the US will administer the Privacy Shield
- The Commerce Department will maintain a public list of self-certified businesses
- Businesses that fail to comply with the principles will be removed from the Privacy Shield list and must return or delete the data received under it
- Businesses leaving the Privacy Shield must remove all statements implying continued participation
- The Commerce Department will monitor for false claims of Privacy Shield participation and refer them to enforcement authorities
Complaint handling and enforcement
- Businesses must put in place an effective redress mechanism to handle complaints from EU data subjects
- Businesses must provide a response to the data subject within 45 days of a complaint, and responses must assess the merits of the case and, where appropriate, explain how the business will rectify the problem
- Businesses must designate an independent dispute-resolution body to investigate and resolve individual complaints and, where appropriate, provide recourse free of charge to the data subject
- The Commerce Department will conduct compliance reviews of self-certified businesses, and will systematically investigate specific complaints
- The Federal Trade Commission can enforce and monitor compliance through administrative orders, and may seek civil penalties and other remedies for businesses that fail to comply with orders
- As a recourse mechanism of last resort, a data subject may invoke binding arbitration by the Privacy Shield Panel consisting of independent arbitrators designated by the Commerce Department and European Commission
* The jurisdiction of the Privacy Shield remains the same of the Safe Harbor — only U.S. organizations subject to the jurisdiction of the Federal Trade Commission or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation can participate in the Privacy Shield. Organizations generally not subject to FTC jurisdiction include certain financial institutions, (such as banks, investment houses, credit unions, and savings and loan institutions) and telecommunications common carriers.
Promontory assists companies throughout the full life cycle of building, managing, and sustaining privacy and data protection governance programs. For more information about how we can help your organization enhance its GDPR practices, please contact a senior member of our privacy and data protection team:
Senior Principal, London
+44 207 997 3417
+44 207 997 3407
Director, San Francisco
+1 415 291 2679
Managing Director, London
+44 207 997 3456
Director, San Francisco
+1 415 291 2671