The Privacy Shield Framework, approved by the European Union (EU) and U.S. Government, is a recognized mechanism for complying with EU data protection requirements when transferring personal data from the European Economic Area (EEA) to the United States. Utilizing the 7 Privacy Shield principles (outlined below), organizations participating in the Framework are deemed to provide “adequate” privacy protection of data, as required under the EU Data Protection Directive and the General Data Protection Regulation (GDPR).
U.S. organizations can join the Privacy Shield Framework by self-certifying to the U.S. Department of Commerce and publicly committing to comply with the Framework’s requirements. The U.S. Department of Commerce will work with the EU Data Protection Authorities (DPAs) to ensure compliance with the principles. The Privacy Shield principles apply immediately upon certification.
The Privacy Shield principles introduce:
- Stronger supervision and enforcement activities by U.S. Government organizations (e.g., Federal Trade Commission and Department of Commerce)
- Improved cooperation and transparency
- New privacy and security protections for EEA and other individuals
- Enhanced complaint resolution for EEA citizens
The 7 Privacy Shield principles are:
1. Notice: Organizations must publish privacy notices containing specific information about their participation in the Privacy Shield Framework; their privacy practices, and EU residents’ data use, collection, and sharing with third parties.
2. Choice: Organizations must provide a mechanism for individuals to opt out of having personal information disclosed to a third party or used for a different purpose than that for which it was provided. Opt-in consent is required for sharing sensitive information with a third party or its use for a new purpose.
3. Accountability for Onward Transfer: Organizations must enter into contracts with third parties or agents who will process personal data for and on behalf of the organization, which require them to process or transfer personal data in a manner consistent with the Privacy Shield principles.
4. Security: Organizations must take reasonable and appropriate measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction, while accounting for risks involved and nature of the personal data.
5. Data Integrity and Purpose Limitation: Organizations must take reasonable steps to limit processing to the purposes for which it was collected and ensure that personal data is accurate, complete, and current.
6. Access: Organizations must provide a method by which the data subjects can request access, correct, amend, or delete information the organization holds about them.
7. Recourse, Enforcement and Liability: This principle addresses the recourse for individuals affected by non-compliance; consequences to organizations for non-compliance; and compliance verification.
These 7 Privacy Shield principles should be read in conjunction with the 16 equally binding “Supplemental Principles” that expand upon the seven principles. For more information on the EU-U.S. Privacy Shield Framework, please refer to https://www.privacyshield.gov/EU-US-Framework.