25 June 2019
In October of 2015, the EU-U.S. Safe Harbor program was invalidated, and in February of 2016, a draft of the new EU-US Privacy Shield was introduced.
This will be very important to you if your business is based in the U.S. and you collect, use and/or store any personal information about European citizens.
The Safe Harbor program was created in the year 2000 between the EU and the U.S. in an attempt to make sure that both EU and U.S. businesses would be complying with EU privacy laws when dealing with personal information from EU citizens.
Under EU privacy laws, personal information from EU citizens cannot be transferred outside of the EU unless adequate guarantees for the privacy of that data are made.
Safe Harbor created a streamlined and rather a convenient way for a large number of businesses to be compliant with privacy laws and legally transfer personal data from the EU to the U.S.
Only certain industries were able to participate in the Safe Harbor, including:
If your business was in one of these categories, and your business collected, used, and/or stored personal information from European citizens, you were eligible to participate in the Safe Harbor.
Participating in the Safe Harbor provided benefits to business owners:
Joining Safe Harbor was voluntary and relatively easy to do. A business or organization that wished to join had to:
Basically, under the Safe Harbor, a U.S. business was able to take a few basic steps to self-certify that it would be complying with the data protection standards in place in the EU, and this would allow the business to legally transfer European data to the US.
Thousands of businesses and companies took part in the Safe Harbor, including Google, Apple, and Facebook, just to name a few of the big players.
Sounds pretty good, right? So, why was Safe Harbor invalidated?
In October of 2015, an Australian privacy activist filed a lawsuit against Facebook, alleging that Facebook's handling of his personal information was not legal because it violated European privacy law.
Eventually, the court invalidated the Safe Harbor agreement because it concluded that even if U.S. companies were following Safe Harbor guidelines and taking measures to protect personal information collected from European citizens, this personal information is still at risk of being misused once in the U.S. because U.S. public authorities are not subject to the Safe Harbor guidelines and could obtain this information via surveillance.
And that was the end of Safe Harbor.
In February of this year, the EU and the U.S. released proposed framework for the Privacy Shield in a draft that included new and more rigorous obligations for U.S. businesses who wish to transfer personal information about EU citizens back to the United States.
On July 12th, the European Commission formally adopted the Privacy Shield. Beginning on August 1, 2016, businesses that are compliant can certify as such with the Department of Commerce.
The new obligations in the Privacy Shield include more broadly reaching and in-depth certification requirements, as well as changes in the following areas:
Self-certification will still be practiced, but with more strict initial requirements, as well as additional mechanisms in place to ensure actual and continued compliance, both by U.S. businesses and U.S. public authorities.
You must also have a procedure in place for how you will handle complaints that your users may lodge against you under the Privacy Shield.
Note: There's currently no link to this DoC list, but in the future, as businesses become certified, this will exist and be part of the requirements.
If you rely on a third party or multiple third parties to transfer personal information to your U.S. business from the EU, you'll want to pay special attention to this section.
In the event the third party you use for this information transfer fails to comply with Privacy Shield principles, you'll be held liable unless you can actually show that you aren't responsible for the event that failed to comply.
You should already be paying special attention to whether third parties you use have adequate procedures and policies in place to ensure the protection of personal data, and now compliance with Privacy Shield principles, as well. You might find yourself needing to create a new agreement with a third party you've worked with in the past, or renegotiating an existing agreement to include new clauses and clarifications.
Any agreement between your business and a third party that transfers information from the EU to the U.S. must:
State that your business will take steps that are appropriate and reasonable to make sure that the third party is actually complying with these principles.
These steps can include monitoring and evaluating mechanisms and should include a remedy for how you can intervene or alter the way the third-party is handling information if you find a violation.
The Privacy Shield requires that any data you collect must be:
If you store data for long periods of time, this data may become less accurate and complete, and certainly not current. It also may not be relevant for your purposes any longer if your business practices change.
To avoid issues here, you can invite your users to review and update their information periodically, as well as review your internal practices to see if you no longer need to store certain categories of data for your processing purposes.
The idea of letting users access and update their information leads right into the next point of the Privacy Shield, which is to give users more access to their personal information.
To be compliant with the Privacy Shield requirements, you must give your users the ability to:
Under the Privacy Shield, there are a few requirements for how disputes and issues that arise from your users must be handles:
Beyond these new and more extensive requirements for business owners, the Privacy Shield also requires that U.S. public authorities provide assurances in writing that personal data collected from EU citizens will be subject to limitations and different safeguards, and that oversight mechanisms will be in place to ensure this.
Mass or indiscriminate surveillance is explicitly not allowed, and annual joint reviews between the EU and the U.S. will be put in place to ensure that requirements are being met, rules are being followed, and that privacy goals are being reached.
Remember: Beginning on August 1, 2016, businesses that are compliant can certify as such with the Department of Commerce, and must renew their certifications annually.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.