• Contact
  • Accountants: +44 (0) 1753 551111
  • Solicitors: +44 (0) 20 7067 4300

Date of publication: November 2016

The Privacy Shield was adopted by the European Commission on 12th July 2016 following the decision of the European Court of Justice to invalidate the previous Safe Harbor Framework governing transfers of personal data from the European Union to the United States.

The Privacy Shield is intended to increase the protection of personal data transferred from the EU to the US, and to facilitate a right to redress for data subjects whose personal data has been processed in a manner that is inconsistent with EU privacy laws.

As with the Safe Harbor regime, participating US organisations must self-certify their compliance to EU standards of data processing within their business activities, subject to which they are legally allowed to share data with EU organisations. 

Compliance Measures

Under the new regime US organisations need to meet the following compliance measures:

  1. Onward Transfers: Any third party which receives EU data from the participating US business must be compliant to meet the minimum EU requirements either by being self-certified under the Privacy Shield, or by themselves being a resident in the EU, or by entering into a written contract based upon the EU Model Clauses governing data transfers.  Additionally, third parties are contractually obliged to inform the US organisation if they are no longer able to meet the Privacy Shield minimum requirements.
  2. Duration: Personal Data which is no longer needed must be destroyed.  Participating organisations will only be permitted to hold data for so long as it serves its initial purpose. Data cannot therefore be held indefinitely.
  3. Compliance: Organisations that sign up to Privacy Shield will need to undertake regular reviews of their compliance procedures.  If a business does not meet the requirements of Privacy Shield and does not adequately meet the standards required by the EU, it may receive sanctions and be removed from Privacy Shield.

It should be noted that in connection with Privacy Shield, the US government has agreed in principle to assisting in the prevention of mass surveillance of EU personal data, however it remains to be seen as to how achievable this is in practice having regard to US national security concerns.

Who can join?

Only certain organisations are entitled to self-certify under the Privacy Shield framework. US businesses who wish to join must be subject to the Federal Trade Commission or the Department of Transport (as appropriate). If a US business receives personal data from any EU member state, then in order to self-certify it must show that it has adequate measures in place to comply with EU privacy laws, which for the UK means the Data Protection Act 1998.

Next steps

In order to join the list of Privacy Shield certified organisations, application organisations must demonstrate compliance with the principles of the Privacy Shield as follows:

  1. Eligibility: confirmation of status as a US organisation dealing with the personal data of EU citizens in compliance with EU privacy laws.
  2. Privacy Policy: display of an EU-compliant privacy policy which is clearly and displayed and accessible on their website. 

The Privacy Policy will need to meet the minimum EU privacy requirements of protection over personal data transferred between the organisation and any relevant counterparty based in the EU. The policy should make specific reference to the Privacy Shield and will need to include a hyperlink to the Privacy Shield website. 

As with a standard privacy policy, this should include details of any data handling practices and the rights and choices applicable to individual data subjects in relation to their personal information. Contact details will need to be displayed, including the business location.

  1. Independent Resource Mechanism:  A dispute resolution service needs to be provided to individuals who believe that their personal data may have been processed in contravention of EU laws.
  2. Verification Mechanism: Regular review mechanisms and compliance procedures need to be built into normal business practices to ensure that the minimum requirements of Privacy Shield continue to be met.
  3. Contact:  A designated individual must be appointed with responsibility for dealing with data subjects concerns and complaints.  
  4. Annual re-registration: Following a successful registration, the business will need to renew its registration on an annual basis, and certify that the organisation still meets all of the Privacy Shield requirements.

Enforcement

Participating organisations are expected to self-regulate their activities through verification, dispute resolution and provision of remedies. As part of this process, any complaints received must be responded to within 45 days by the appointed handler.

If you are considering signing up to Privacy Shield or require information or assistance about your obligations under EU privacy laws, then  please contact Ben Robson at ben.robson@ocsolicitors.com or on +44 (0)207 067 4300.

DP3

Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice.  Please seek legal advice if you have any questions about the information set out above.

  • Member of London Partners
  • Member of London of Chamber Commerce and Industry
  • Canada Chamber of Commerce
  • The Association for UK Interactive Entertainment
  • Offical Xero Partner

Copyright © 2013 - Oury Clark.