European Union-United States Privacy Shield: What You Should Know

In today’s globalized business world, corporations need to enforce data protection policies to ensure corporate and employee data is not compromised overseas. Our corporate and employee data is now residing in either corporate or personal mobile devices in the United States or in the European Union. Therefore, it is imperative for both countries to ensure that corporate data overseas can be secured and actions can be taken in case of a compromise. The European Union's General Data Protection Regulations (GDPR), which go into effect in 2018, will further refine policies and protections that have already been implemented in the EU-US Privacy Shield program from back in July of 2016.

If this is the first time you have heard of the EU-US Privacy Shield, here is what you should know and what your corporation can do to be part of this program.

What is the Privacy Shield?

The Privacy Shield was designed by the U.S Department of Commerce, the European Commission, and Swiss Administration. The Privacy Shield regulates companies’ data protection when personal data is transferred to the US and the EU/Switzerland. The Privacy Shield provides a number of rights for people and their personal data; companies are obligated to protect this personal data in line with the following privacy principles:

  1. The right to be informed
  2. Limitations on the use of a person’s data for different purposes
  3. Data minimization and obligation to keep a person’s data only for the time needed
  4. Obligation to secure a person’s data
  5. Obligation to protect a person’s data if transferred to another company
  6. A person’s right to access and correct their data
  7. A person’s right to lodge a complaint and obtain a remedy
  8. Redress in case of access by U.S. public authorities

What are the benefits of participating in the Privacy Shield Program?

  • Speed – When transferring data between countries, companies do not require prior authorization from or notification to 65% of EU data protection authorities, as would normally be the case.
  • Less Paperwork – Companies do not require updates to or new signatures on contractual clauses each time a business process or data flow changes
  • Better Resource Options – provides individuals with opportunities to raise concerns directly with the certified organization.
  • Executive Support – Drives corporate sponsorship of privacy programs by requiring an annual self-assessment of compliance, enforceable under US law

Is this a mandatory program that my company needs to apply for?

The Privacy Shield program is voluntary to join. However, once a US corporation has joined, its regulations are enforceable under U.S law by either the U.S Federal Trade Commission (FTC) or the U.S Department of Transportation (DOT).

How do I join?

A U.S-based company must self-certify annually to agree to adhere to the Privacy Shield Principles. Detailed information about joining the Privacy Shield is linked here.