The EU-U.S. Privacy Shield agreement was finalized by the European Commission on July 12th. As of August 1st, companies are able to sign up to the Privacy Shield with the U.S. Department of Commerce, meaning U.S. multinationals can now legally process the personal data of EU employees and customers.
The Privacy Shield aims to offer stronger protection for transatlantic data flows. It is the successor to the Safe Harbor agreement, which was struck down last year by the European Court of Justice (ECJ), the EU’s highest court.
The U.S. Department of Commerce will verify applicant’ privacy policies to ensure that they comply with the data protection standards required by the Privacy Shield. The European Commission has also published a guide for citizens http://ec.europa.eu/justice/data-protection/document/citizens-guide_en.pdf explaining how EU data protection rights are guaranteed under the Privacy Shield and what remedies are available for individuals, if they consider their data has been misused and their data protection rights have not been respected.
Rights and Responsibilities under the Privacy Shield
The EU-U.S. Privacy Shield guarantees that everyone in the EU has a number of rights when their data is processed, such as the right to ask a company for further information about the data they hold about them, or to amend their records if the data are outdated or inaccurate. Also they will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the U.S. Department of Commerce and Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress regarding possible access to personal data for national security purposes will be handled by a new Ombudsperson independent from U.S. intelligence services.
Thus, the Privacy Shield gives Europeans accessible and affordable mechanisms to issue complaints about how their private data are used in the U.S. American organizations will have to respond to complaints from EU citizens about their handling of data within 45 days. The Privacy Shield also puts in place more oversight for data protection. The U.S. Department of Commerce and the Federal Trade Commission are clearly being given more responsibility to enforce European data protection requirements, and the Privacy Shield agreement itself will be a “living mechanism” that will undergo annual reviews.
In addition, the Privacy Shield hardens rules as it relates to “onward transfer” of data to third-party data processors. An organization can only share the EU subjects’ data with third parties if the third party also certifies by Privacy Shield. Nevertheless, the data owner will remain primarily liable for any violations committed by the third party, unless they can prove they were not responsible. This rule does not only pertain to American companies, but also to European companies that transfer data to U.S.-based processors.
More details on the differences between Safe Harbor and the Privacy Shield can be found in the European Commission’s fact sheet.
What if you Don’t Handle European Personal Data?
For Canadian organizations who don’t handle European citizens’ personal data, you may not have been worried about the EU privacy legal framework before. However it is not clear whether the EU Commission’s decision that Canada’s PIPEDA offers “adequate” protection for EU citizens will be upheld due to the following:
The EU General Data Protection Regulation (GDPR), a replacement for the EU Data Protection Directive, will be in effect by May 2018. The GDPR will expand the definition of “personal data” to encompass other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. A variety of data types, including demographic information commonly collected by businesses for targeted advertising purposes will fall under this new definition. Will the EU Commission re-evaluate laws they have deemed adequate in the past under the Directive? We don’t know yet.
What is clear is that if your website can be reached by someone in the EU, at the very minimum, your site’s terms and conditions should clearly indicate that the site is not intended for EU visitors, if you are not interested in business from the EU and will not be taking the necessary steps to become GDPR ready.
While only about 4,500 American organizations certified for Safe Harbor, many more organizations may need to worry about Privacy Shield when GDPR goes into effect. Similarly, if Canada loses its adequacy status, principles similar to those of the Privacy Shield may be needed in Canada.
For assistance with determining how the overhaul of Europe’s privacy framework affects your organization, contact PRIVATECH.