More customers are becoming aware of data privacy when engaging with businesses online. With data breaches on the increase, many customers face issues regarding the adequate protection of personal data, especially following the event of a data breach or cyberattack. In a report given by RAND corporation, it was found that 11 percent of customers would change organization, and 23 percent would give the existing organization less business. These realities have spawned an ecosystem of regulation and data privacy awareness.
Regulations in data privacy have become more stringent in the past 4 years with the introduction of the EU GDPR (General Data Protection Regulation). In the same period, the European Union and the United States have introduced a compliance mechanism known as the EU US privacy shield, for the transfer of personal data from the EU and the US.
This blog will take you through a brief description of what the EU US privacy shield framework is, its overall purpose, and an easy-to-understand explanation of the main principles within the framework.
What Is the EU US Privacy Shield?
The EU US privacy shield is a data protection framework developed by the US Department of Commerce in partnership with the European Commission. The framework was designed to facilitate the transfer of personal data to and from the EU and the US, whilst complying with EU data laws. The framework was also designed in a way that supports transatlantic commerce.
Mechanism of Compliance
As briefly described above the EU US privacy shield is a mechanism of compliance concerning EU data subjects. In the GDPR, data subjects refer to the producers of personal data, i.e., customers, users of healthcare systems, services users, etc.
They are the main focus of the data privacy laws and frameworks and within the EU US privacy shield, it is no different. The framework outlines how an organization should handle personal data transfer from the EU to the US.
The EU US privacy shield embodies this mechanism of compliance through its main principles, which are outlined in more detail in the section below titled Privacy Shield Principles. The principles of the EU US privacy shield are similar to the ones mentioned within the GDPR, with the main difference branching from the United States approach as being “sectoral”, as stated on the privacy shield website.
The Department of Commerce refers to sectoral as a data privacy approach that involves a mix of regulation, legislation, and self-regulation. Essentially there is no single regulation or framework that an organisation must adhere to as a catch all for data protection compliance.
An example of this would be HIPPA, this regulation only applies to the health care and health insurance industry and those organisations that deal with personal health data. At the same time those organisations would do best if adhering to other data privacy frameworks, such as this one, if they were also dealing with the transfer of personal data from the EU to the US. They may also be obligated to adhere depending on the kinds of personal data they are processing.
Is Joining the EU US Privacy Shield Mandatory?
Joining the EU US privacy shield is not compulsory for organizations that operate within the US. If an organization joins the privacy shield list, however, then they must comply with the principles set out by the framework, which is enforceable under US law.
As quoted by the Department of Commerce, “While decisions by organizations to thus enter the Privacy Shield are entirely voluntary, effective compliance is compulsory.”
Effective compliance is essentially compliance with existing data protection laws and frameworks that are outside the EU US privacy shield. Think of regulations such as HIPAA. Although not limited to just this regulation, damages to the data subject due to negligence can lead to serious penalties, these penalties can range from administrative remedies to criminal remedies depending on the situation. For example a $5.5 million fine was levied against Memorial Healthcare Systems in 2017 for HIPAA violations.
This was due to Memorial Healthcare Systems accessing confidential personal data. Individuals may also claim civil damages against an organization for data protection violations, known as civil remedies.
So it is best to employ best practice methods as a means of effective compliance. These methods include a robust cybersecurity architecture, strong cybersecurity organizational policies (such as adequate staff awareness programs), and compliance measures to regulations and frameworks relevant to your industry.
This is especially true if the organization is dealing with data subjects within the European Union, this, however, does not include EU citizens residing outside the European Union. Any organization that processes data of EU subjects must adhere to the GDPR as a matter of law.
What is the Purpose of the EU US Privacy Shield
The primary function of the EU US privacy shield is to create a framework that can facilitate easy transfer/processing of personal data from the EU to the US. The European Commission has determined that the framework provides adequate data protection per their “adequacy determination.”
On the basis of article 45 of Regulation 2016/679 (EU), the European Commision has the legislative power to determine whether a country outside the Union has implemented adequate data protection measures.
The adequacy determination is lengthy and could be a blog article on its own, but for the sake of brevity the legislation outlines measures to be taken such as but not limited to:
- Reasons for the processing of personal data
- Is data being processed only to the extent to which is necessary?
- Personal data is not kept longer than the necessary purpose of processing
- Processing of personal data is being done under appropriate security measures (encryption, policy, etc.)
There are more but these are a few of the categories that determine adequate data protection measures. Thankfully the EU US privacy shield has been determined adequate as per the European Commission adequacy determination. By knowing the principles of the EU US privacy shield, which are outlined in the section titled Privacy Shield Principles of this blog, you will have a better understanding of the European Commission adequacy determination requirements.
The adequacy determination process, and decision by the European Commision (as outline on their website) involves:
- A proposal from the European Commision
- An opinion from the European Data Protection Board
- An approval from representative of EU countries
- The adoption of the decision by the European Commision
Cited by the European Commision the effects of a decision is as follows:
“The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.”
Stricter Data Protection Laws Within the EU
Since the approval, and subsequent implementation of the GDPR in 2016, data privacy laws within the EU have branched out to include any country that deals with the processing of personal data of EU data subjects, that only reside within the European Union.
This regulation affected various industries regardless of whether they are based within the EU or not. This meant that the US Department of Commerce in conjunction with the European Commission devised a framework where personal data transfer of EU citizens could be made easier if organizations within the US abided by the principles set out by the privacy shield. This is because of the adequacy determination decision made by the European Commision on the EU US privacy shield (refer to the above section for more information).
Although, as mentioned above, joining the privacy shield list is not mandatory for US-based businesses, its primary benefit lies in streamlining. The framework set out by the EU US privacy shield means that organizations are, in most cases, automatically granted transfer of personal data from the EU.
In the next section we will explore the meat and potatoes of the EU US privacy shield: the principles.
Privacy Shield Principles
The EU US privacy shield principles are the main body of the framework. A good grasp on the principles of the EU US privacy shield can give you a sense of the bedrock of modern data privacy laws.
Who are the principles intended for?
“They are intended for use solely by organizations in the United States receiving personal data from the European Union for the purpose of qualifying for the Privacy Shield and thus benefiting from the European Commission’s adequacy decision.” – Department of Commerce
There are 7 main Principles and 16 Supplemental Principles, collectively referred to as the Principles. We will briefly outline the main 7 Principles.
The Principle of Notice stipulates what information must be disclosed by an organization to the relevant individual and the manner in which that information should be conveyed.
There are 13 points of interest that the organization must share with the relevant individual and these can be loosely classified under 5 categories as follows:
- EU US Privacy Shield Participation
Points 1, 2, and 3 require the organization to state its participation in the EU US Privacy Shield and its commitment to the Principles of the EU US Privacy Shield. This applies to any subsidiaries or entities of the organization also participating in the EU US Privacy Shield. In practice this requires the organization to provide either a direct link to the EU US Privacy Shield website or the web address, and to state that all personal information/data received from the European Union will be subjected to the Privacy Shield principles.
- Types of Data
Points 2, 4, and 6 require the organization to specify the types of personal data collected, the purpose of the collection and use of the data, and with whom the data will be shared, that is, the identity and type of third parties having access to that data.
- Oversight and Liability
Points 10, 11, and 12 require the organization to disclose the fact that it is subject to enforcement and investigatory powers of any U.S. statutory body and must also respond to any lawful request by a U.S. public body for the disclosure of personal data held. Similarly, it must state its liability with regards to data transfers to third parties.
- Rights of Individuals
Points 7, 8, 9, and 11 require the organization to inform individuals of their rights in respect to the EU US Privacy Shield. Specifically, individuals must be informed that they have the right to access their data and limit its use or disclosure. The right to access binding arbitration as an option for the individual also must be disclosed.
The means for doing this, and the options available, must be stated to the individual as must the existence and contact details of the relevant dispute resolution body. This body may be one established by the data protection authority (DPA), one based in the EU, or the US. Regardless, it must provide services free of charge to the individual.
- Contact Details
Point 5 stipulates the need to supply contact details of the organization (including the relevant EU organization) for individuals wishing to complain or inquire.
Finally, all of the above must be communicated to the individual in clear and easily understood language at the time (or as soon as possible) of the data collection, and most importantly before it is shared with any third parties. Put simply, companies must get the consent of the data subject to process or share their private information.
Individuals must be given the opportunity and choice to opt-in or opt-out from various forms of data collection and sharing. Opt-in within the EU US Privacy Shield refers to the gaining of ‘affirmative express consent’ and applies when sensitive information will be shared with a third party or where the use of the data has subsequently changed from its time of first collection. Sensitive information is specific personal information which may be used to discriminate against an individual, the most common of which are defined in the ER RS Privacy Shield as personal data concerning an individual’s health and medical history, ethnicity, sexuality, political opinions or trade union membership, and their religious beliefs or philosophical viewpoint.
The Opt-out choice must be offered every time the subsequent processing of that data has changed from that for which the original consent was given, or when the data is to be shared with third parties. The choice to opt-out or to opt-in must be presented as a clear and conspicuous call for consent; for example: ‘I understand that company XYZ will process and share my personal information only for the purpose of (123) and that company XYZ will contact me for new consent if purpose (123) changes. I Do/DO NOT consent to this use of my personal data.’
Accountability for onward transfer
This section explains the responsibilities of an organization collecting, processing, or sharing the personal data of EU citizens relevant to any third parties acting in the capacity of data controller for, or as an agent of, the organization.
Third-party as Controller:
Contracts made with third-party data controllers must specify that the third party will only process and control data in a manner consistent with the requirements of the EU US Privacy Shield offering the same protections and under the same permissions as those obtained by the organization from the relevant individual. The contract must specify the limit and specific scope of the processing and under what circumstances the third party controller must stop further processing, and potentially remediate any damage or loss of data to its original state with any effects arising from non-compliance being reversed.
Third-party as Agent:
When transferring data under the EU US Privacy Shield to third parties acting as Agents of the organization there are 6 key factors to be applied;
- Data must be transferred only for limited and specific purposes,
- The Agent must adhere to the Principles of the EU US Privacy Shield,
- The organization must ensure the Agent’s fulfillment of the obligations,
- Require the agent to notify the organization if or when they are no longer able to meet their obligations under the Principles of the EU US Privacy Shield,
- When notified of the Agent’s inability to comply organizations must stop further processing of data and take remedial action,
- Provide a copy of the privacy provisions within the contract with the Agent to the DOC when requested.
Organizations are responsible for the personal data they have collected and are required to protect that data from damage, loss, theft, disintegration, misuse, or any unauthorized use. They must take appropriate and reasonable measures to mitigate these possibilities, such as a robust cybersecurity architecture and appropriate company security policies.
Data Integrity and Purpose Limitation
Since personal data can only be collected for a limited and specific purpose, that data must also be accurate and reliable for its intended use. It must be complete and current and compatible with the purpose of its collection. Information that makes it possible to identify an individual is permitted under certain circumstances and may be held or processed for longer periods of time.
This applies specifically in the case of the broader public interest such as historical and scientific research, statistical analysis, and journalism. Under some circumstances an organization may consider data which enables consumer protection, security, or legal compliance, for example, to be compatible with its purpose of collection.
Unless the cost is prohibitive, organizations must make it possible for individuals to correct, amend, or delete any personal information where it is inaccurate or processed without the correct consent. If the action would violate the rights of others then it should not be exercised.
Recourse, Enforcement, and Liability
The EU US Privacy Shield sets minimum requirements for the mechanisms of recourse provided by organizations. Briefly put, these are as follows:
Complaints and disputes brought by individuals must be investigated and resolved as quickly and efficiently as is reasonable, with remedies or damages awarded where the appropriate local laws allow. At the very least it is expected that the effects of non-compliance with the EU US Privacy Shield framework will be corrected or reversed and any further processing will be in full compliance.
Organizations must have in place procedures that allow for a follow-up to rectify any problems and to provide proof of compliance with the Principles within their own organization and with third parties.
Organizations who state that they comply with the EU US Privacy Shield Principles but are found to be in breach are subject to strong sanctions such as publicity of the organization’s non-compliance, deletion of the disputed data, payment of compensation to affected individuals (which in some cases may be thousands of people), and the suspension or removal of a seal.
Transfers of data to third parties who are not in compliance with the Principles will create a liability for the organization unless it can prove that the breach was not in its control.
Where the organization becomes the subject of a court order or an FTC order due to non-compliance then it must make public those parts of the assessment report related to the EU US Privacy Shield. This not only exposes the organization to negative publicity but also opens to external scrutiny the inner workings of the company to competitors, journalists, and the public at large with the consequent damage to reputation and possibly even market share.
We hope you have a clearer understanding of the EU US privacy shield and the modern technicalities of data privacy laws and frameworks.
It seems likely that trends in consumer awareness towards data protection will continue to increase and businesses must adapt toward current demands for better protection and increased trust within their cyber ecosystems.