The European Union (EU) approved the EU-US Privacy Shield, a framework designed to replace the now-defunct Safe Harbor, on Tuesday. The approval ends months of “Will they? Won’t they?” as certain European entities roundly endorsed the framework while others came out squarely against it. Now that the EU has endorsed the Privacy Shield, the US Commerce Department is moving fast to get it launched. Commerce will begin accepting applications for Privacy Shield on August 1, and the Shield takes effect immediately.
What follows are the key requirements of the EU-US Privacy Shield:
- Companies to self-certify. Being a member of the Privacy Shield is optional; however, participants who do join must self-certify with the Commerce Department and publicly declare their commitment to comply. Once the company makes the public declaration, that commitment is enforceable under US law.
- Free Dispute Resolution. With a nod to the FCRA, Privacy Shield requires a free and accessible disputes process for individuals; participating companies must respond within 45 days.
- Data limitation. Participants must commit to limiting the use of the data collected, which is consistent with European privacy principles.
- Greater accountability for data transferred to third parties. Privacy Shield participants must ensure through process and contractual means that data transferred to their parties is handled with the same level of commitment to the Shield.
- Ongoing commitment to data protection. Even if a company decides to leave the Privacy Shield, it must continue to protect the information it collected while it was a participant.
The Privacy Shield is similar to the Safe Harbor framework it replaces. It does, however, resolve the most common Safe Harbor complaints which typically centered on the wide surveillance berth perceived to be taken by government and law enforcement communities.
The EU approval means that US companies now have a clear path forward in creating data privacy programs that actually comply with European standards. Rather than an outright rejection of everything Safe Harbor, Privacy Shield holds many of the same fundamental principles that were present in the now-defunct framework. It does provide more clear guidance in areas such as individual complaints, information sharing with government agencies and verification of compliance with privacy principles.