EU-U.S. Privacy Shield
What is the EU-U.S. Privacy Shield?
The EU-U.S. Privacy Shield is a Trans-Atlantic framework that assures data protection requirement compliance between the European Union and the United States. Under the Privacy Shield, companies abide by obligations and mechanisms for the protection of the personal data of EU individuals. These mechanisms include transparency, U.S. government oversight, and cooperation with EU data protection authorities.
What are the key requirements for Privacy Shield Framework participation?
Requirements to join and participate in the EU-U.S. Privacy Shield Framework include informing individuals about data processing, providing free and accessible dispute resolution, cooperating with the Department of Commerce, maintaining data integrity and purpose limitation, ensuring accountability for data transferred to third parties, exhibiting transparency related to enforcement actions, and ensuring commitments are kept as long as data is held.
Who administrates and enforces the Privacy Shield Framework?
From the United States, the U.S. Department of Commerce and the Federal Trade Commission (FTC) operate as administrators and enforcers of the EU-US Privacy Shield. U.S-based companies wishing to operate under the Privacy Shield must self-certify with the Department of Commerce. Once committed to the framework, the requirements of the Privacy shield are enforceable by law. The FTC acts as the primary enforcer and rules over complaints of non-compliance. Additionally, local Data Protection Authorities (DPAs) of the European Union shall work with the Department of Commerce and FTC on individual complaints filed directly with the DPAs. The final enforcers of the EU-US Privacy Shield, and the last resort in addressing non-compliance complaints, is the Privacy Shield Panel, consisting of arbitrators chosen by the U.S. Department of Commerce and the European Commission. The panel can aid non-compliance grievances through individual-specific, non-monetary relief.
What is the relevance of the EU-U.S. Privacy Shield for trade?
The EU-U.S. Privacy Shield will play a major role in securing data flows between the two parties in the cross-border trade of information services. The Safe Harbor Privacy Principles, which were the initial data protection document between the EU and the U.S., failed to address many of the data protection concerns raised by the European Union and was, thus, declared invalid in 2015. The objective of the new framework is to address these concerns and impose obligations for comprehensive data protection by the U.S. to smooth the path for EU-U.S. data flow and trade.