In October of 2015, the EU-U.S. Safe Harbor program was invalidated, and in February of 2016, a draft of the new EU-US Privacy Shield was introduced.
This will be very important to you if your business is based in the U.S. and you collect, use and/or store any personal information about European citizens.
What was Safe Harbor
The Safe Harbor program was created in the year 2000 between the EU and the U.S. in an attempt to make sure that both EU and U.S. businesses would be complying with EU privacy laws when dealing with personal information from EU citizens.
Under EU privacy laws, personal information from EU citizens cannot be transferred outside of the EU unless adequate guarantees for the privacy of that data are made.
Safe Harbor created a streamlined and rather a convenient way for a large number of businesses to be compliant with privacy laws and legally transfer personal data from the EU to the U.S.
Only certain industries were able to participate in the Safe Harbor, including:
- Industries that fall under jurisdiction of the Federal Trade Commission (FTC), such as: food, healthcare, energy etc.
- Industries that fall under jurisdiction of the Department of Transportation (DoT), such as some U.S. ticket agents, air carriers etc.
If your business was in one of these categories, and your business collected, used, and/or stored personal information from European citizens, you were eligible to participate in the Safe Harbor.
Participating in the Safe Harbor provided benefits to business owners:
- Your business would be deemed to have adequate privacy protection in place to meet both U.S. and EU privacy standards,
- Litigation was streamlined, and
- Requirements of prior approval for data transfers would be automatically granted or waived for all states participating in Safe Harbor.
Joining Safe Harbor was voluntary and relatively easy to do. A business or organization that wished to join had to:
- Comply with the 7 Privacy Principles of the Safe Harbor program
- Declare your compliance publicly and submit a certification form with a processing fee
- Annually submit a self-certification stating the agreeance to comply with the requirements
Basically, under the Safe Harbor, a U.S. business was able to take a few basic steps to self-certify that it would be complying with the data protection standards in place in the EU, and this would allow the business to legally transfer European data to the US.
Thousands of businesses and companies took part in the Safe Harbor, including Google, Apple, and Facebook, just to name a few of the big players.
Sounds pretty good, right? So, why was Safe Harbor invalidated?
The end of Safe Harbor
In October of 2015, an Australian privacy activist filed a lawsuit against Facebook, alleging that Facebook's handling of his personal information was not legal because it violated European privacy law.
Eventually, the court invalidated the Safe Harbor agreement because it concluded that even if U.S. companies were following Safe Harbor guidelines and taking measures to protect personal information collected from European citizens, this personal information is still at risk of being misused once in the U.S. because U.S. public authorities are not subject to the Safe Harbor guidelines and could obtain this information via surveillance.
And that was the end of Safe Harbor.
The New Privacy Shield
In February of this year, the EU and the U.S. released proposed framework for the Privacy Shield in a draft that included new and more rigorous obligations for U.S. businesses who wish to transfer personal information about EU citizens back to the United States.
On July 12th, the European Commission formally adopted the Privacy Shield. Beginning on August 1, 2016, businesses that are compliant can certify as such with the Department of Commerce.
The new obligations in the Privacy Shield include more broadly reaching and in-depth certification requirements, as well as changes in the following areas:
- New requirements for how notice of compliance and privacy practices is given to users,
- New and more strict requirements for how vendor agreements and third party contracts are handled,
- More limitations on what data may be collected and how it may be used,
- Citizens now have more rights and remedies in the event of a complaint or violation of their privacy, and
- Dispute resolution and remedy mechanisms have been broadened in the favor of EU citizens' privacy
Self-certification will still be practiced, but with more strict initial requirements, as well as additional mechanisms in place to ensure actual and continued compliance, both by U.S. businesses and U.S. public authorities.
- What personal information you're collecting
- How you'll be using this personal information
- What access third parties have to this personal information and the scope of their access
- Your responsibility and liability for any personal information that's transferred to a third party
- How users can access their personal information after you collect it
- How users can control the way you use and disseminate their personal information
- How users can opt out of having you share their personal information with third parties
- How users can opt out of you using their personal data beyond what you've disclosed already
- How you will always obtain affirmative consent from a user before you disclose any of their sensitive information.
You must also have a procedure in place for how you will handle complaints that your users may lodge against you under the Privacy Shield.
- Description of your procedure for handling complaints,
- Information about which independent dispute resolution body will be used in the event of a complaint, and
- Notice that your users may have a right to binding arbitration.
Note: There's currently no link to this DoC list, but in the future, as businesses become certified, this will exist and be part of the requirements.
Third party dealings
If you rely on a third party or multiple third parties to transfer personal information to your U.S. business from the EU, you'll want to pay special attention to this section.
In the event the third party you use for this information transfer fails to comply with Privacy Shield principles, you'll be held liable unless you can actually show that you aren't responsible for the event that failed to comply.
You should already be paying special attention to whether third parties you use have adequate procedures and policies in place to ensure the protection of personal data, and now compliance with Privacy Shield principles, as well. You might find yourself needing to create a new agreement with a third party you've worked with in the past, or renegotiating an existing agreement to include new clauses and clarifications.
Any agreement between your business and a third party that transfers information from the EU to the U.S. must:
- State very clearly that any personal information can only be transferred within the specific scope of use that your user/s have affirmatively consented to,
- State that the third party you're using is required to and will comply with Privacy Shield principles, and
State that your business will take steps that are appropriate and reasonable to make sure that the third party is actually complying with these principles.
These steps can include monitoring and evaluating mechanisms and should include a remedy for how you can intervene or alter the way the third-party is handling information if you find a violation.
Limit data collection
The Privacy Shield requires that any data you collect must be:
- Relevant for processing purposes,
- Reliable for the use you intend to use it for,
- Complete, and
If you store data for long periods of time, this data may become less accurate and complete, and certainly not current. It also may not be relevant for your purposes any longer if your business practices change.
To avoid issues here, you can invite your users to review and update their information periodically, as well as review your internal practices to see if you no longer need to store certain categories of data for your processing purposes.
The idea of letting users access and update their information leads right into the next point of the Privacy Shield, which is to give users more access to their personal information.
Give users access to their information
To be compliant with the Privacy Shield requirements, you must give your users the ability to:
- Access their personal information that you've collected,
- Correct the personal information in the event of errors,
- Amend their personal information as they see fit, and
- Delete any outdated or no longer accurate information,
- Confirm that their personal information is actually being processed by you, and
- If their information is being processed, confirm that it is being done so lawfully
Dispute resolution preparedness
Under the Privacy Shield, there are a few requirements for how disputes and issues that arise from your users must be handles:
- You must reply to all complaints within 45 days,
- You must provide Alternative Dispute Resolution (ADR) to your users, at no cost to them, and
- You must provide notice that an arbitration mechanism of a Privacy Shield Panel will be made available as a last resort
Beyond these new and more extensive requirements for business owners, the Privacy Shield also requires that U.S. public authorities provide assurances in writing that personal data collected from EU citizens will be subject to limitations and different safeguards, and that oversight mechanisms will be in place to ensure this.
Mass or indiscriminate surveillance is explicitly not allowed, and annual joint reviews between the EU and the U.S. will be put in place to ensure that requirements are being met, rules are being followed, and that privacy goals are being reached.
Remember: Beginning on August 1, 2016, businesses that are compliant can certify as such with the Department of Commerce, and must renew their certifications annually.