When the Safe Harbor data transfer agreement was invalidated last year, the European Union (EU) and the United States began work on defining a new set of rules to govern the flow and handling of personal information of EU citizens across the Atlantic. The details of the new agreement known as the EU-U.S. Privacy Shield were published on February 29th.
When the new agreement takes effect, any U.S company that transfers data between the EU and U.S. will be required to implement, publish, and abide by a privacy policy that adheres to the Privacy Shield’s 7 privacy principles:
- Notice
- Choice
- Accountability for onward transfer
- Security
- Data integrity and purpose limitation
- Access
- Recourse, enforcement and liability
While the complete details of the requirements under each principle can be found within the agreement, the overview of the first two below clearly indicate the focus of the agreement is to ensure individuals are fully informed and able to control how their information is handled.
Notice – A company must inform individuals its participation in Privacy Shield and make a link to the full Privacy List available, disclose the types of personal data and for what purpose it is being collected and used, identify third parties to which the company will transfer information, inform individuals of their right to access their information as well as limit how their information is used, and offer dispute recourse free of charge.
Choice – Individuals must be offered the ability to opt-out if their information is to be used for a purpose that is materially different from that which it was originally collected or transferred to a third party. Organizations are required to obtain an opt-in agreement for the transfer to a third party or for use that is materially different when the information is sensitive in nature such as medical records, etc.
The decision by US companies to self-certify that they adhere to the Privacy Shield principles is voluntary. However, once a company does so it will be added to a list maintained by the Department of Commerce and its actions relative to the principles of Privacy Shield will be enforced under U.S. law.
Despite the release of the agreement, Privacy Shield as well as the adequacy decision, which is the European Commission’s approval of the plan, must still undergo a review by representatives of EU Member States and EU Data Protection Authorities before the EU College of Commissioners makes a final decision and implementation can move forward.
This information is provided for educational purposes only. Hire Image urges employers to consult with an attorney that specializes in data privacy law to ensure policies and procedures are compliant with Privacy Shield if applicable, as well as all other data privacy laws related to your business.
