The ways American companies and the United States government can collect, process, transfer, and store European citizens’ private data are changing. In 2015, European Union courts invalidated the US/EU privacy “Safe Harbor,” invalidating the decade-old information sharing agreement. American businesses, European citizens, and privacy advocates all over the globe have closely watched the development of Safe Harbor’s replacement policy. In the summer of 2016, Privacy Shield came to fruition and is enforced as of August 2016. This article takes a look at what Privacy Shield is and how it came to be.
Unlike in Europe, the United States does not have a central or comprehensive data protection regime like the Data Protection Directive. Instead, the US creates sectoral laws that govern specific industries. Examples include financial data protected by the Fair and Accurate Credit Transactions Act (FACTA), and Personal Health Information (PHI) protections by HIPAA, the Health Insurance Portability and Accountability Act of 1996. The European Union provides strong standards governing the use of personal data as a fundamental human right, and instantiated by the Data Protection Directive.
Due to these differing views, the EU and US came together to form Safe Harbor in 2000. This set of guidelines allowed for data transfers to the US with stricter than normal, EU style data protection standards. US companies agreeing to more stringent data protection were vetted to receive European data transfers. This was a huge deal at the time, with EU/US data transfers accounting for $300 billion in trade in the balance.
Not long after Safe Harbor went into effect, some in the EU began criticizing American business’ policies as lacking proper transparency and thought enforcement and compliance were not always happening. After much back and forth, the European Court of Justice invalidated Safe Harbor in 2015. The US and EU needed a new agreement for data transfer to continue across the Atlantic.
A New Policy
Privacy Shield replaced Safe Harbor in July 2016 after nine months of negotiations. This new agreement between the US and EU calls for the United States to increase monitoring and enforcement of its participating entities and to cooperate more fully with Data Protection Authorities in Europe. Enterprises have a joint review annually so the EU can immediately address any issues threatening data protection. Privacy Shield also includes something Safe Harbor left out: written guidelines for public authorities’ access to data. The new policy gives European citizens greater protection and more transparency when it comes to when and how their personal data are sent to the US.
The new policy requires American enterprises to:
- Complete self-certification annually
- Quickly respond to compliance complaints
- Work cooperatively with Data Protection Authorities in Europe
Components of the Privacy Shield
Privacy Shield is made up of four key elements:
- Commercial Obligations
- US Government Access
Companies now face greater transparency and oversight standards under Privacy Shield. Onward, third-party transfers will also be more closely monitored. Enterprises found to be out of compliance with Privacy Shield are subject to tighter sanctions and exclusion from future transfers. That would be a death knell of a multi-national corporation with large European revenue streams.
The US Department of Commerce agreed that any time public authorities access European citizens’ data, companies will provide the quantity of requests, limit personal information to only what is necessary for processing, provide oversight, and safeguards. The US Director of National Intelligence issued a written promise that no mass surveillance will take place.
Every year, the EU and the US Department of Commerce will hold a joint review monitoring the use and compliance of Privacy Shield participants. From this, the European Commission will present a public report to the European Council and Parliament with the findings of the review.
American companies must self-certify and apply to join the Privacy Shield through the Department of Commerce.
Privacy Shield went into effect in July 2016 as a replacement to Safe Harbor, after a European Court of Justice invalidated Safe Harbor. The framework is an agreement between the European Union and the United States outlining the transfer of European citizens’ personal data. Privacy Shield calls for more stringent oversight and enforcement as well as a written guarantee from the US that transfers will not be used for mass surveillance. American companies must self-certify and apply for approval to receive data.
CIPP Exam Preparation:
In preparation for the Certified Information Privacy Professional/Europe (CIPP/E) exam, a privacy professional should be comfortable with topics related to this post, including:
- European Regulatory Institutions (I.A.B.)
- The EU Data Protection Directive (95/46/EC) (I.C.B)
- European Data Protection Law and Regulation (II.A.B.)
- Compliance with European Data Protection Law and Regulation (III.E.)
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- Information Management from a US Perspective (I.C.i.j) (I.C.i.j.i)