04-11-19 | References
Why did this agreement come about in the first place? When the EU Court of Justice ruled Safe Harbor invalid, it had two key concerns: Excessive U.S. access to European data (thanks to the Edward Snowden leaks of 2013), and a lack of process for European citizens to address their concerns. Privacy Shield aims to redress those issues.
Are there a lot of differences between the agreements? Not really. The differences between the Safe Harbor data protection law and the new Privacy Shield agreement are more in the methods of addressing data transfers than changing the nature of them. Safe Harbor had seven principles: Notice, Choice, Onward Transfers (transfers to third parties), Access, Security, Data Integrity, and Enforcement. Privacy Shield has those same principles, but focuses on more individual rights for EU citizens, stricter requirements for U.S. businesses and restricting U.S. government access to personal data.
One major change from Safe Harbor is the transfer of data to third parties, or the Onward Transfers principle. In the old agreement, an organization had to provide notice and choice to consumers before sharing personal information with a third party, but that was not required if the third party was “acting as an agent to perform tasks on behalf of and under the instructions of third organization.”
With the new agreement, that rule has changed dramatically. Companies who wish to transfer data to third parties now must also comply with the principle of purpose limitation and ensure that the third party provides the same level of Privacy Shield protection as the original company. Organizations must also provide a copy of relevant portions of its privacy agreement with the third party to the Department of Commerce upon request. However, even when those requirements have been met, an organization remains liable if the third party does not process the information in a manner consistent with the Privacy Shield agreement, unless it proves it is not responsible for any event that causes damage to the personal information.
Overall, the Privacy Shield seeks to address concerns voiced by Europeans over how much of their data was being sent to the U.S. and the lack of process to file any complaints that Safe Harbor did not provide. Despite the framework being signed July 12, many critics of the new policy remain vocal and question whether it can stand up to a legal challenge. Companies may self-certify adherence to the new principles beginning Aug. 1, 2016 and the full list of certified companies is available on the Privacy Shield website.
Otava reps are standing by to answer any additional questions about colocation that you may have. Simply click the button below to contact us and learn more.
Frequently Asked Questions about Privacy Shield
EU-US Privacy Shield Fact Sheet
Privacy Shield website for U.S. businesses
European Commission Privacy Shield website