Written By ESR News Blog Editor Thomas Ahearn
The full text of the new EU-U.S. Privacy Shield Framework issued by the European Commission to govern data transfers between the European Union (EU) and the United States (U.S.) while providing a set of robust and enforceable protections for the personal data of EU individuals is now publicly available on the U.S. Department of Commerce website at https://www.commerce.gov/privacyshield.
“The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic. We have spent more than two years constructing a modernized and comprehensive framework that addresses the concerns of the European Court of Justice and protects privacy,” U.S. Secretary of Commerce Penny Pritzker said in a statement on the release of EU-U.S. Privacy Shield text.
According to a Fact Sheet (PDF), the EU-U.S. Privacy Shield Framework was designed by the Department of Commerce and European Commission to provide mechanisms to comply with EU data protection requirements when transferring personal data from the EU to the U.S. To join the Privacy Shield Framework, a U.S.-based company will be required to self-certify to the Department of Commerce.
While joining the Privacy Shield Framework will be voluntary, once an eligible company makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All companies interested in joining the Privacy Shield Framework should review its requirements in their entirety. Key new requirements for participating companies include:
Informing individuals about data processing
- A participant must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance with the Framework, and the organization’s liability in cases of onward transfer of data to third parties.
Maintaining data integrity and purpose limitation
- Privacy Shield participants must limit personal information to the information relevant for the purposes of processing.
Ensuring accountability for data transferred to third parties
To transfer personal information to a third party acting as a controller, a Privacy Shield participant must:
- Comply with the Notice and Choice Principle.
- Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles.
To transfer personal data to a third party acting as an agent, a Privacy Shield participant must:
- Transfer such data only for limited and specified purposes;
- Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
- Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
- Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
- Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
Cooperating with the Department of Commerce
- Privacy Shield participants must respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework.
Transparency related to enforcement actions
- Privacy Shield participants must make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if the organization becomes subject to an FTC or court order based on non-compliance.
Ensuring commitments are kept as long as data is held
- If an organization leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means.
The full text of the EU-U.S. Privacy Shield Framework also includes information on rights and legal remedies for EU individuals to bring a complaint directly to a Privacy Shield participant, program oversight with EU data protection authorities (DPAs), and increased cooperation with EU DPAs by the Department of Commerce and U.S. Federal Trade Commission (FTC).
The EU and U.S. agreed to create the new Privacy Shield Framework to replace 16-year-old Safe Harbor pact two days after the original January 31, 2016 deadline for such an agreement had passed. Privacy watchdog group Article 29 Working Party had issued a statement calling on the US and EU to find a new solution by the end of January 2016 or else face possible “coordinated enforcement actions.”
As reported earlier by ESR News, the ruling invalidating Safe Harbor stems from the case of Maximillian Schrems v. Data Protection Commissioner where an Austrian citizen lodged a privacy complaint about his data being transferred to servers in the U.S. for processing claiming that the U.S. did not offer sufficient protection against government surveillance due to revelations made by defector Edward Snowden.
Employment Screening Resources® (ESR), a leading global provider of background checks, completes an annual SOC 2® Type 2 Data Security Audit that confirms ESR meets high standards for protecting the security, confidentiality, and privacy of consumer information used for background checks. For more information about ESR, please call toll free 888.999.4474 or visit https://www.esrcheck.com.
NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this web site is for educational purposes only.
© 2016 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.