Following the decision of July 16, 2020 in Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 we’re currently reworking this guide, as the Privacy Shield has been invalidated.
This is very early days, and therefore there is very little guidance out there yet. However, here’s what you need to know for now:
This article is meant to provide information on Privacy Shield, its purpose, how it may impact you and how you can use iubenda Privacy Shield certification.
The Privacy Shield is a framework for cross-border exchanges of the personal data of Europeans which works ensure that EU standards of data protection are applied when transferring this personal data from the EU (and Switzerland) to the US.
Here’s the European Commission’s description of the Privacy Shield:
The EU-U.S. Privacy Shield imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbour framework invalid. The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. It includes, for the first time, written commitments and assurance regarding access to data by public authorities.
See also the European Commission’s handy fact/overview sheet.
In this post, we’ll get into some of the specifics of what’s required for Self Certification, the ways in which iubenda can help, and what the Privacy Shield means for US, Eu and Swiss companies wishing to transfer or handle the data of European users that has been transferred to the US.
The Privacy Shield has established a framework for transfers of personal data from Europe to the United States. This framework serves the purpose of protecting Europeans’ personal data after the transfer to the US and correlates with GDPR requirements for Cross Border Data Transfers.
For European companies, there are various ways to correctly transfer European’s data to the US, such as contractual clauses, binding corporate rules, and the Privacy Shield. EU law prohibits the personal data of EU citizens from being transferred outside the EU to countries which do not ensure an adequate level of protection for that data.
The EU generally regards the US as not having a sufficient level of protection. The Privacy Shield is meant to remedy this by acting as the revised mechanism for transferring data safely to the US.
If you’re using US companies to process Data, it might be worth considering one that has obtained the Privacy Shield certification as relying on other GDPR sanctioned transfer mechanisms such as Binding Corporate Rules (BCRs), Standard Contractual Clauses or explicit, informed individual consent (Article 49) can be a bit more complicated.
Be aware that data controllers that fall within the scope of the GDPR are always required to enter into a contract when any data transfer for the purposes of processing occurs. This applies whether the processing happens in or outside of the European Union, and whether or not the processor participates in the Privacy Shield.
Additionally, a GDPR sanctioned transfer mechanism such as an adequacy decision like the Privacy Shield, Binding Corporate Rules (BCRs), Standard Contractual Clauses or explicit, informed individual consent must be used for any cross-border transfer of Europeans’ personal data whether that transfer is controller → controller (e.g transfer between the data controller’s EU and US branches) or controller → processor.
Where the transfer is controller → controller, Binding Corporate Rules (BCRs) may be the best suited mechanism, especially in cases where the controller has branches in multiple countries (as the EU-US Privacy Shield only applies to the US).
You can see which countries adequacy approval has been granted to here.
Switzerland has added itself to the Privacy Shield framework, therefore the same rules apply to Swiss companies. All the relevant documents can be found on this site by the Swiss government/data protection authority and you can read the official Swiss – U.S. Privacy Shield FAQs here.
This is how US companies can get started:
*Privacy Shield forces you to make some decisions and disclosures that will depend on each particular case.
|What the current integrations contain by default||Things You May Need to Add|
|Providing a point of contact to handle Privacy Shield inquiries: By default the policy contains only the Owner Contact information you provide within the Owner Field||Since we don’t know which email address you’ll use for the Privacy Shield related inquiries, if the address added in the Owner field is not one dedicated to handling Privacy Shield inquires, you will need to add this information to your policy as the Framework requires a dedicated email address or company contact information for handling privacy inquiries and complaints.|
|[Regarding ii] By default the policy contains no references to subsidiaries or branches as not every organization may have subsidiaries||If have any subsidiaries that data is shared with, you’ll need to additionally mention them in another clause as being committed in the same ways to the Privacy Shield Principles.|
|[Regarding ix] By default, the policy sets the independent dispute resolution body as the European panel of DPAs – they do not need linking to – unlike the private bodies.||If you therefore use a private dispute resolution body, you need to add a section addressing this (as explained in the integration section below).|
|[Regarding v] By default, the policy does not link to any relevant establishment that you may have appointed in the EU to handle inquire or complaints since we cannot know these details.||If you therefore, have appointed a particular EU-based establishment or have an EU-based department for handling Privacy Shield related inquires or complaints, you’ll need to add a clause outlining this (as explained in the integration section below).|
|[Regarding viii] By default, the policy does not go into detail about the choices you may grant the users.||If you offer such choices, you need to state that in an additional section (as explained in the integration section below). Please remember that some choices must be mandatorily offered to users based on the particular type of processing you do. More information on choices can be found here.|
Since the above constraints shown within the table apply, here’s the full text in case you need to apply any changes/ additions mentioned in the table above, and consequently instead copy it into the generator as a custom service.
Please note that custom clauses are not automatically translated.
The Owner participates in and complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union and Switzerland to the United States. The policies and rights outlined below are therefore equally and explicitly applicable to Users from Switzerland, except if stated otherwise. The Owner has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
The Owner is responsible for all processing of Personal Data it receives under the Privacy Shield Framework from European Union individuals and commits to subject the processed Personal Data to the Privacy Shield Principles.
This, most importantly, includes the right of individuals to access their personal data processed by the Owner.
The Owner also complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, which means that it remains liable in cases of onward transfers to third parties.
The Owner is further required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, the Owner commits to resolve complaints about its collection or use of the User’s Personal Data. European Union individuals with inquiries or complaints regarding this Privacy Shield policy should first contact the Owner at the contact details supplied at the beginning of this document referring to “Privacy Shield” and expect the complaint to be dealt with within 45 days.
In case of failure by the Owner to provide a satisfactory or timely response, the User has the option of involving an independent dispute resolution body, free of charge.
In this regard, the Owner has agreed to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU. The User may therefore contact the Owner at the email address provided at the beginning of this document in order to be directed to the relevant DPA contacts.
Under certain conditions – available for the User in full on the Privacy Shield website – the User may invoke binding arbitration when other dispute resolution procedures have been exhausted.
You can read the full Privacy Shield Framework text here.