In October of 2015, the EU-U.S. Safe Harbor program was invalidated, and in February of 2016, a draft of the new EU-U.S. Privacy Shield was introduced.
This article explains how Privacy Shield used to work.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
What was Safe Harbor
The Safe Harbor program was created in the year 2000 between the EU and the U.S. in an attempt to make sure that both EU and U.S. businesses would be complying with EU privacy laws when dealing with personal information from EU citizens.
Under EU privacy laws, personal information from EU citizens cannot be transferred outside of the EU unless adequate guarantees for the privacy of that data are made.
Safe Harbor created a streamlined and rather a convenient way for a large number of businesses to be compliant with privacy laws and legally transfer personal data from the EU to the United States.
Only certain industries were able to participate in the Safe Harbor, including:
- Industries that fall under jurisdiction of the Federal Trade Commission (FTC), such as: food, healthcare, energy etc.
- Industries that fall under jurisdiction of the Department of Transportation (DoT), such as some U.S. ticket agents, air carriers etc.
If your business was in one of these categories, and your business collected, used, and/or stored personal information from European citizens, you were eligible to participate in the Safe Harbor.
Participating in the Safe Harbor provided benefits to business owners:
- Your business would be deemed to have adequate privacy protection in place to meet both U.S. and EU privacy standards,
- Litigation was streamlined, and
- Requirements of prior approval for data transfers would be automatically granted or waived for all states participating in Safe Harbor.
Joining Safe Harbor was voluntary and relatively easy to do. A business or organization that wished to join had to:
- Comply with the 7 Privacy Principles of the Safe Harbor program
- Declare your compliance publicly and submit a certification form with a processing fee
- Annually submit a self-certification stating the agreeance to comply with the requirements
Basically, under the Safe Harbor, a U.S. business was able to take a few basic steps to self-certify that it would be complying with the data protection standards in place in the EU, and this would allow the business to legally transfer European data to the US.
Thousands of businesses and companies took part in the Safe Harbor, including Google, Apple, and Facebook, just to name a few of the big players.
Sounds pretty good, right? So, why was Safe Harbor invalidated?
The end of Safe Harbor
In October of 2015, an Australian privacy activist filed a lawsuit against Facebook, alleging that Facebook's handling of his personal information was not legal because it violated European privacy law.
Eventually, the court invalidated the Safe Harbor agreement because it concluded that even if U.S. companies were following Safe Harbor guidelines and taking measures to protect personal information collected from European citizens, this personal information is still at risk of being misused once in the U.S. because U.S. public authorities are not subject to the Safe Harbor guidelines and could obtain this information via surveillance.
And that was the end of Safe Harbor.
The Beginning of Privacy Shield
In February of 2016, the EU and the U.S. released proposed framework for the Privacy Shield in a draft that included new and more rigorous obligations for U.S. businesses who wish to transfer personal information about EU citizens back to the United States.
On July 12th, the European Commission formally adopted the Privacy Shield. Beginning on August 1, 2016, businesses that were compliant were able to certify as such with the Department of Commerce.
The new obligations in the Privacy Shield included more broadly reaching and in-depth certification requirements, as well as changes in the following areas:
- New requirements for how notice of compliance and privacy practices was given to users,
- New and more strict requirements for how vendor agreements and third party contracts were handled,
- More limitations on what data may be collected and how it may be used,
- Citizens had more rights and remedies in the event of a complaint or violation of their privacy, and
- Dispute resolution and remedy mechanisms were broadened in the favor of EU citizens' privacy
Self-certification was still to be practiced, but with more strict initial requirements, as well as additional mechanisms in place to ensure actual and continued compliance, both by U.S. businesses and U.S. public authorities.
- What personal information you were collecting
- How you would be using this personal information
- What access third parties had to this personal information and the scope of their access
- Your responsibility and liability for any personal information that was transferred to a third party
- How users could access their personal information after you collect it
- How users could control the way you use and disseminate their personal information
- How users could opt out of having you share their personal information with third parties
- How users could opt out of you using their personal data beyond what you've disclosed already
- How you would always obtain affirmative consent from a user before you disclosed any of their sensitive information.
You also needed a procedure in place for how you would handle complaints that your users may have lodged against you under the Privacy Shield.
- Description of your procedure for handling complaints,
- Information about which independent dispute resolution body would be used in the event of a complaint, and
- Notice that your users may have had a right to binding arbitration.
Third Party Dealings
If you relied on a third party or multiple third parties to transfer personal information to your U.S. business from the EU, in the event the third party you used for this information transfer failed to comply with Privacy Shield principles, you would have been held liable unless you were able to actually show that you weren't responsible for the event that failed to comply.
You should already have been paying special attention to whether third parties you used had adequate procedures and policies in place to ensure the protection of personal data, and then compliance with Privacy Shield principles, as well. You might have found yourself needing to create a new agreement with a third party you've worked with in the past, or renegotiating an existing agreement to include new clauses and clarifications.
Any agreement between your business and a third party that transfers information from the EU to the U.S. must have:
- Stated very clearly that any personal information can only be transferred within the specific scope of use that your user/s have affirmatively consented to,
- Stated that the third party you're using is required to and will comply with Privacy Shield principles, and
Stated that your business will take steps that are appropriate and reasonable to make sure that the third party is actually complying with these principles.
These steps could have included monitoring and evaluating mechanisms and should include a remedy for how you can intervene or alter the way the third-party is handling information if you find a violation.
Limit Data Collection
The Privacy Shield called for data minimization and that any data you collect must be:
- Relevant for processing purposes,
- Reliable for the use you intend to use it for,
- Complete, and
If you stored data for long periods of time, this data may have become less accurate and complete, and certainly not current. It also may not be relevant for your purposes any longer if your business practices change.
To avoid issues here, you could have invited your users to review and update their information periodically, as well as review your internal practices to see if you no longer need to store certain categories of data for your processing purposes.
The idea of letting users access and update their information leads right into the next point of the Privacy Shield, which was to give users more access to their personal information.
Give Users Access to Their Information
To have been compliant with the Privacy Shield requirements, you must have given your users the ability to:
- Access their personal information that you've collected,
- Correct the personal information in the event of errors,
- Amend their personal information as they see fit, and
- Delete any outdated or no longer accurate information,
- Confirm that their personal information is actually being processed by you, and
- If their information is being processed, confirm that it is being done so lawfully
Dispute Resolution Preparedness
Under the Privacy Shield, there were a few requirements for how disputes and issues that arise from your users must be handled:
- You must have replied to all complaints within 45 days,
- You must have provided Alternative Dispute Resolution (ADR) to your users, at no cost to them, and
- You must have provided notice that an arbitration mechanism of a Privacy Shield Panel will be made available as a last resort
Beyond these new and more extensive requirements for business owners, the Privacy Shield also required that U.S. public authorities provided assurances in writing that personal data collected from EU citizens would be subject to limitations and different safeguards, and that oversight mechanisms would be in place to ensure this.
Mass or indiscriminate surveillance was explicitly not allowed, and annual joint reviews between the EU and the U.S. were to be put in place to ensure that requirements were being met, rules were being followed, and that privacy goals were being reached.
Beginning on August 1, 2016, businesses that were compliant could certify as such with the Department of Commerce, and were slated to have to renew their certifications annually.