12-07-16 | Blog Post
Online Tech has officially joined more than 1,100 organizations who are compliant with the new EU-US Privacy Shield law, the replacement for the US-EU Safe Harbor Framework. Developed by the Department of Commerce and the European Commission, Privacy Shield is the response to European concern about excessive government access to data and a lack of process for citizens to file privacy complaints. Privacy Shield allows for the transfer of data between the US and the European Union and implements seven principles of data privacy.
So Safe Harbor is dead?
Yes. The U.S-EU Safe Harbor Framework was invalidated in October 2015, and Privacy Shield is the new standard. The two agreements are very similar, but there are key differences in the handling of data by third parties, as well as recourse options for those who wish to file a complaint. The new framework was signed July 12, and companies could start self-certifying August 1.
It’s important to note that there is also a U.S.-Swiss Safe Harbor Framework. That is similar, but separate from the U.S.-EU Safe Harbor, and was not invalidated. Switzerland must decide if it wants to come up with its own version of Privacy Shield, and until then, the Swiss Safe Harbor is still in effect.
Why have Privacy Shield?
For American companies who have users in Europe, their data gets passed between Europe and the U.S. and needs to be protected. Privacy Shield ensures that protection. Being compliant with Privacy Shield principles means clients based in the EU can rest assured knowing Online Tech is following the principles of Privacy Shield and keeping their data secure and private. Thanks to specific rules outlined in the new agreement, we also offer ways for citizens to address any concerns they have about our data and are guaranteed to hear from us in 45 days or less.
What differences are there?
There are stricter reporting obligations in the new Privacy Shield, compared with Safe Harbor. Even if an organization withdraws from the Privacy Shield agreement, they will still be responsible for any data obtained while they were under the Privacy Shield.
And like Safe Harbor, organizations that leave the Privacy Shield must maintain any information they keep at the same protection level as when they were members of Privacy Shield. However, Privacy Shield also requires organizations to annually prove to the Department of Commerce that they are protecting that information in accordance with the law. If they are found to be in breach of the agreement, they must destroy or delete all affected data, or provide enough protection by another authorized means, such as EU Standard Contractual Clauses. If an organization no longer needs data obtained under Privacy Shield, it must be deleted.
Read our blog post on the differences between Privacy Shield and Safe Harbor to learn more.
You can also visit https://www.privacyshield.gov for more information, where you can view the full list of organizations who are currently compliant with Privacy Shield.