After the EU invalidated Safe Harbor back in October 2015, businesses have been in a state of limbo. Finally, a new framework appeared and was just recently approved: Privacy Shield.
If you’re wondering where Safe Harbor went, and why it had to be replaced, the EU removed it because it failed to address European concerns about collection and surveillance of large volumes of data by US authorities and businesses. There was also concern regarding the lack of tools for EU Citizens complain if they felt their data was being misused in the US.
The Privacy Shield is allegedly going to address the concerns that invalidated Safe Harbor. It is also a voluntary “self-certification” program, but its requirements are more robust than those of the Safe Harbor. This new program is based on a set of privacy principles including notice, data integrity and purpose limitation, choice, security, access, recourse, enforcement and liability, and accountability for onward transfers.
Some of Privacy Shield’s requirements are:
- Creation and publication of a privacy policy that declares the organization’s commitment to the Privacy Shield’s principles and includes a link to the Department of Commerce’s Privacy Shield website
- The organization must provide independent recourse mechanisms by which individuals can have complaints addressed, and a link to a complaint form must appear in the organization’s privacy policy
- The organization must respond to all complaints from individuals within 45 days, and must also commit to binding arbitration at the request of the individual to address any complaint that has not otherwise been resolved
- The organization must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful requests by public authorities, which enforcement authority has jurisdiction over the organization’s compliance with the framework and the organization’s liability in cases of onward transfer of data to third parties
- For “onward transfers” (i.e., where the organization transfers EU data to a third party), this may be done only pursuant to a contract that provides the same level of protection as the Privacy Shield
- There are further requirements for the processing of human resources data, including the creation of a separate human resources privacy policy that discusses additional issues concerning the handling of that data
As a response to the changing privacy environment and the challenges involved with keeping customer data secure and legally compliant under the consumer’s watchful eyes, many companies are now evaluating cloud-based solutions as an alternative to Privacy Shield. This option might work for some, but it is not the best option for everyone.
Should businesses self-certify? Well, there is no right answer. There has been intense criticism of the newly approved Privacy Shield and it seems like it is going to be an uphill battle. Many argue that while it might have broader coverage than Safe Harbor did, there’s still a long way to go until data legislation catches up with the way personal information is being used today, thanks to technology’s reach.
Because of uncertainty and gray areas, there has been a lot of discussion of whether it is a good idea to jump on the Privacy Shield bandwagon or not. Not all businesses are built the same and there isn’t a “one size fits all” answer. Regardless of what your business chooses to do, now is the time to revise the way your data is compiled and used, and to select a mechanism that provides the right protection coverage while giving you peace of mind.