Privacy Shield 101: U.S. Companies Face New Rules

If you’re a U.S. company doing business in Europe, what does the Privacy Shield mean for you? Here are the key points.

25 May 2016


The European Commission (the executive body of the European Union) and the U.S. released details of a new agreement for sharing personal information — the EU-U.S. Privacy Shield, in February 2016. The Privacy Shield is meant to replace the Safe Harbor agreement that the European Court of Justice struck down in October 2015, ruling that it did not give adequate protection for the personal data of European citizens. The new agreement aims to rectify these concerns, with stricter requirements for companies and government authorities, stronger enforcement, and ongoing oversight.

If you’re a U.S. company doing business in Europe, what does the Privacy Shield mean for you? Here are the key points.

What do companies have to do to comply?

U.S. companies wishing to import personal data from the EU will have to self-certify annually to the U.S. Department of Commerce that their use and handling of such data complies with seven Privacy Principles, which are summarized below. Under the agreement, the U.S. Department of Commerce will verify that companies comply with these Principles, and can refer perceived violations to the Federal Trade Commission for further enforcement action.

Readers familiar with the old Safe Harbor agreement may notice that the structure of the Privacy Principles appears similar to the Safe Harbor framework. However, the standards are stricter in many cases. Some of the rules are quite involved so make sure you do your due diligence!

  • Notice: Provide notice to EU citizens regarding how their data is collected and processed, including type of data, reason for processing it, citizen’s right to access it, conditions for onward transfers, right to opt-out and remedies available for security breaches. This information would be provided in the company’s Privacy policy.
  • Choice: Allow individuals to opt-out when their personal data is shared with third parties or used in ways “materially different” from the original purpose for which it was collected.
  • Security: Implement “reasonable and appropriate” security measures, including requiring all sub-contractors to provide the same level of data security required by these Privacy Principles.
  • Data Integrity and Purpose Limitation: Ensure the reliability and integrity of personal data, and process personal data only in the ways that are authorized.
  • Access: Provide EU citizens with access to their personal information within a reasonable time frame and at a non-excessive cost.
  • Accountability for Onward Transfer: Limit onward transfers of personal data to third parties to specific purposes defined in a contract, with data protection obligations equivalent to these Privacy Principles.
  • Recourse, Enforcement and Liability: Provide mechanisms to ensure compliance with the Privacy Principles and give EU citizens access to free and independent dispute resolution mechanisms to redress alleged non-compliance. The European Commission recommends that companies commit to following the advice of the citizen’s national Data Protection Authority (DPA), but this is not mandatory. However, any company handling human resources data from Europeans must comply with instructions from the relevant DPA.

What can EU citizens do if they think a U.S. company has misused their data?

One of the things Europeans hated about Safe Harbor was its limited enforcement. With the Privacy Shield, that has changed dramatically. Any EU citizen who believes that a U.S. company has misused their data will now have access to several enforcement mechanisms:

  • The individual can file a complaint with the company using the link in their Privacy Policy. Companies must respond within 45 days with an assessment of the merits of the complaint and how (or if) they will rectify the problem.
  • If the EU citizen is not satisfied with the company’s response, they can seek redress through the independent dispute resolution service that U.S. companies must provide. (See the last Privacy Principles above.) Companies will be required to provide a link to their dispute resolution provider on their Privacy page.
  • As an alternative to the above, EU citizens can go to their national Data Protection Authorities, who will work with the U.S. Department of Commerce and Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved.
  • The Federal Trade Commission (FTC) will accept complaints from dispute resolution providers, the DoC, and the DPAs, and determine whether to conduct an enforcement investigation or proceeding.
  • As a last resort, EU individuals can take their dispute to the Privacy Shield Panel, an arbitration mechanism that can take binding decisions against U.S. self-certified companies.

In our next blog, we'll discuss the Privacy Shield further, including what the future might look like in terms of regulations and how businesses can prepare. 

Stay IN the know

Sign up for our newsletter for must-read market analysis and thought leadership, delivered right to your inbox.