This is very early days, and therefore there is very little guidance out there yet. However, here’s what you need to know for now:
Normally, to transfer personal data of EU users outside of the EU one needs to meet the conditions outlined in articles 44-50 GDPR (for example, if you store personal data from EU citizens on a server in the United States, you will need to base this transfer on one of the existing compliance mechanisms).
US companies could get certified under Privacy Shield to be a safe destination for EU personal data and therefore when such a company received such data, this activity didn’t need any specific authorization.
Now the EU Court of Justice says that this system is in fact invalid. This means that transfers that relied upon Privacy Shield now need to look elsewhere for a justification.
This article is meant to provide information on Privacy Shield, its purpose, how it may impact you and how you can use iubenda Privacy Shield certification.
Introduction to the Privacy Shield
What is the Privacy Shield?
The Privacy Shield is a framework for cross-border exchanges of the personal data of Europeans which works ensure that EU standards of data protection are applied when transferring this personal data from the EU (and Switzerland) to the US.
Here’s the European Commission’s description of the Privacy Shield:
The EU-U.S. Privacy Shield imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbour framework invalid. The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. It includes, for the first time, written commitments and assurance regarding access to data by public authorities.
Self-certify annually that they meet the requirements.
Reply promptly to any complaints.
(If handling human resources data) Cooperate and comply with European Data Protection Authorities.
EU and Swiss companies wanting to transfer European’s data to the US in a compliant way, can rely on the convenience and the assurances of the framework for the transfer to participating companies.
Some points to take note of
Privacy Shield is only relevant to companies that want to transfer data of EU or Swiss users to the US.
If a company does this through a partner/processor (e.g. using an analytics service that has servers in the US), then it’s that partner that has to comply, but a Data Processing Agreement between you the controller, and the processor is still required.
In this post, we’ll get into some of the specifics of what’s required for Self Certification, the ways in which iubenda can help, and what the Privacy Shield means for US, Eu and Swiss companies wishing to transfer or handle the data of European users that has been transferred to the US.
What does the Privacy Shield certification mean?
The Privacy Shield has established a framework for transfers of personal data from Europe to the United States. This framework serves the purpose of protecting Europeans’ personal data after the transfer to the US and correlates with GDPR requirements for Cross Boarder Data Transfers.
For European companies
For European companies, there are various ways to correctly transfer European’s data to the US, such as contractual clauses, binding corporate rules, and the Privacy Shield. EU law prohibits the personal data of EU citizens from being transferred outside the EU to countries which do not ensure an adequate level of protection for that data.
The EU generally regards the US as not having a sufficient level of protection. The Privacy Shield is meant to remedy this by acting as the revised mechanism for transferring data safely to the US.
If you’re using US companies to process Data, it might be worth considering one that has obtained the Privacy Shield certification as relying on other GDPR sanctioned transfer mechanisms such as Binding Corporate Rules (BCRs), Standard Contractual Clauses or explicit, informed individual consent (Article 49) can be a bit more complicated.
Be aware that data controllers that fall within the scope of the GDPR are always required to enter into a contract when any data transfer for the purposes of processing occurs. This applies whether the processing happens in or outside of the European Union, and whether or not the processor participates in the Privacy Shield.
Additionally, a GDPR sanctioned transfer mechanism such as an adequacy decision like the Privacy Shield, Binding Corporate Rules (BCRs), Standard Contractual Clauses or explicit, informed individual consent must be used for any cross-border transfer of Europeans’ personal data whether that transfer is controller → controller (e.g transfer between the data controller’s EU and US branches) or controller → processor.
Where the transfer is controller → controller, Binding Corporate Rules (BCRs) may be the best suited mechanism, especially in cases where the controller has branches in multiple countries (as the EU-US Privacy Shield only applies to the US).
You can see which countries adequacy approval has been granted to here.
This is how US companies can get started:
Confirm Your Organization’s Eligibility to Participate in the Privacy Shield – more
Identify Your Organization’s Independent Recourse Mechanism
Ensure that Your Organization’s Verification Mechanism is in Place
Designate a Contact within Your Organization Regarding Privacy Shield
Review the Information Required to Self-Certify
Submit Your Organization’s Self-Certification to the Department of Commerce – more on these steps
An organization must inform individuals about:
its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List;
the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles;
its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield;
the purposes for which it collects and uses personal information about them;
how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints;
the type or identity of third parties to which it discloses personal information, and the purposes for which it does so;
the right of individuals to access their personal data;
the choices and means the organization offers individuals for limiting the use and disclosure of their personal data;
[under the EU-U.S. Privacy Shield] the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is:
the panel established by DPAs,
an alternative dispute resolution provider based in the EU, or
an alternative dispute resolution provider based in the United States;
being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body [currently, there is no other U.S. authorized statutory body recognized by the EU or Switzerland];
the possibility, under certain conditions, for the individual to invoke binding arbitration;
the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
its liability in cases of onward transfers to third parties.
Integration with iubenda
As time goes on, some practices might change. Therefore this is a topic that you may want to revisit periodically.
*Privacy Shield forces you to make some decisions and disclosures that will depend on each particular case.
What the current integrations contain by default
Things You May Need to Add
Providing a point of contact to handle Privacy Shield inquiries: By default the policy contains only the Owner Contact information you provide within the Owner Field
Since we don’t know which email address you’ll use for the Privacy Shield related inquiries, if the address added in the Owner field is not one dedicated to handling Privacy Shield inquires, you will need to add this information to your policy as the Framework requires a dedicated email address or company contact information for handling privacy inquiries and complaints.
[Regarding ii] By default the policy contains no references to subsidiaries or branches as not every organization may have subsidiaries
If have any subsidiaries that data is shared with, you’ll need to additionally mention them in another clause as being committed in the same ways to the Privacy Shield Principles.
[Regarding ix] By default, the policy sets the independent dispute resolution body as the European panel of DPAs – they do not need linking to – unlike the private bodies.
If you therefore use a private dispute resolution body, you need to add a section addressing this (as explained in the integration section below).
[Regarding v] By default, the policy does not link to any relevant establishment that you may have appointed in the EU to handle inquire or complaints since we cannot know these details.
If you therefore, have appointed a particular EU-based establishment or have an EU-based department for handling Privacy Shield related inquires or complaints, you’ll need to add a clause outlining this (as explained in the integration section below).
[Regarding viii] By default, the policy does not go into detail about the choices you may grant the users.
If you offer such choices, you need to state that in an additional section (as explained in the integration section below). Please remember that some choices must be mandatorily offered to users based on the particular type of processing you do. More information on choices can be found here.
iubenda integration text
Since the above constraints shown within the table apply, here’s the full text in case you need to apply any changes/ additions mentioned in the table above, and consequently instead copy it into the generator as a custom service.
Please note that custom clauses are not automatically translated.
Full Integration Text
Privacy Shield participation: data transfers from the EU and Switzerland to the United States
The Owner participates in and complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union and Switzerland to the United States. The policies and rights outlined below are therefore equally and explicitly applicable to Users from Switzerland, except if stated otherwise. The Owner has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
What does this mean for the European User?
The Owner is responsible for all processing of Personal Data it receives under the Privacy Shield Framework from European Union individuals and commits to subject the processed Personal Data to the Privacy Shield Principles.
This, most importantly, includes the right of individuals to access their personal data processed by the Owner.
The Owner also complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, which means that it remains liable in cases of onward transfers to third parties.
The Owner is further required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Dispute resolution under the Privacy Shield
In compliance with the Privacy Shield Principles, the Owner commits to resolve complaints about its collection or use of the User’s Personal Data. European Union individuals with inquiries or complaints regarding this Privacy Shield policy should first contact the Owner at the contact details supplied at the beginning of this document referring to “Privacy Shield” and expect the complaint to be dealt with within 45 days.
In case of failure by the Owner to provide a satisfactory or timely response, the User has the option of involving an independent dispute resolution body, free of charge.
In this regard, the Owner has agreed to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU. The User may therefore contact the Owner at the email address provided at the beginning of this document in order to be directed to the relevant DPA contacts.
Under certain conditions – available for the User in full on the Privacy Shield website – the User may invoke binding arbitration when other dispute resolution procedures have been exhausted.