Privacy Shield Details Released

Author:Ms Michelle Gyves
Profession:Proskauer Rose LLP

As we previously reported, EU and US officials have reached an agreement to implement a program known as the EU-US Privacy Shield. The Privacy Shield is a successor to the US-EU Safe Harbor program, which was invalidated last year, and is the culmination of more than two years of negotiations between the EU and US to strengthen the protections afforded to individuals whose personal data is transferred from the EU to the US.

On Monday, the European Commission released the documents that will constitute the Privacy Shield, along with a draft adequacy decision. Key features of the new program include the following:

Privacy Principles: As under the Safe Harbor program, Privacy Shield organizations (i.e., organizations that have self certified under the Privacy Shield) must comply with specified privacy principles (the "Principles") when transferring and processing data originating in the EU. These principles are: Notice; Choice; Security; Data Integrity and Purpose Limitation; Access; Accountability for Onward Transfer; and Recourse, Enforcement and Liability. Choice: Individuals must be given the choice to opt out of having their personal information disclosed to a third party (except an agent of the Privacy Shield organization) or used for a purpose that is materially different from the purposes for which it was originally collected or which were subsequently authorized by the individual. For sensitive information, with limited exceptions, individuals must expressly opt in in order for such information to be so disclosed or used. Onward Transfer: Any transfers of data to a third party must be pursuant to a contract that provides, inter alia, that the recipient will provide the same level of protection as the Principles. In the case of contracts with agents, an organization must, upon request, provide a summary or copy of the relevant privacy provisions to the Department of Commerce. Redress of Rights: Privacy Shield organizations must have in place an effective internal mechanism to deal with complaints of non-compliance with the Privacy Principles and must commit to responding to complaints within 45 days. An independent Alternative Dispute Resolution mechanism also must be designated and available, free of charge, for individuals to pursue claims of non-compliance. Individuals can bring claims to their national DPA which will, in turn, work with the US...

To continue reading