What are the Privacy Shield Principles?
The Privacy Shield Principles include seven commonly recognized Privacy Principles, agreed to by the U.S. Department of Commerce and the European Commission, governing the processing of personal data of EU individuals pursuant to the EU-US Privacy Shield Framework. They should be read in conjunction with sixteen equally binding Supplemental Principles that augment and expand upon the seven Principles.
Seven Promises to Protect Individual Privacy
In order to process personal data received from European Union and EEA countries, participating organizations in the United States must first self-certify that they comply with seven Privacy Shield Principles. The Principles are summarized here as follows:
- Notice. Organizations must publish online privacy notices containing specific information about their participation in the Privacy Shield (including, where applicable, the entities or subsidiaries of the organization also adhering to the Principles); their practices around collecting, using and sharing personal data with third parties; their privacy practices, including an individual’s rights to access and correct data, and the choices they make available to individuals regarding limiting data collection and use. The thirteen specific items to be addressed in the notice also include (i) any relevant establishment in the EU that can respond to inquiries or complaints, (ii) the independent dispute resolution mechanism designated to address complaints, a hyperlink to the complaint submission form of that dispute resolution body, (iii) the possibility, under certain circumstances, for EU individuals to invoke additional binding arbitration; (iv) the possibility that the organization may be held liable for unlawful transfer of personal data to third parties; and (v) the organization’s obligation to disclose personal data in response to national security or law enforcement requests.
- Choice – Participants must provide a mechanism for individuals to opt out of having personal information disclosed to a third party or used for a materially different purpose than that for which it was provided. Opt-in consent is required with respect to the sharing of sensitive information with a third party or its use for a new purpose.
- Accountability for Onward Transfer. a. To transfer personal information to a third party acting as a data controller, a participant must comply with the Notice and Choice Privacy Shield Principles. It must also enter into a contract with the third party controller limiting the purposes for which the data may be processed and ensuring that the recipient will provide the same level of protection as the Principles. b. To transfer personal data to a third party acting as an agent (such as a service provider), an organization has additional obligations. It must: transfer the data for limited and specified purposes; ascertain that the agent is obligated to provide at least the same level of privacy protection as required by the Principles; take reasonable steps to ensure that the agent effectively processes this data in a manner consistent with Principles; upon notice, take reasonable steps to stop and remediate unauthorized processing; and upon request, provide a summary or copy of privacy provisions of its contract with the agent to the Department of Commerce.
- Security. An organization creating, maintaining, using or disseminating personal data must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into “due account” the risks involved in the processing and the nature of the personal data.
- Data Integrity and Purpose Limitation. An organization must take reasonable steps to limit processing to the purposes for which it was collected, and to ensure that personal data is reliable for its intended use, accurate, complete, and current. It must only retain personal information for as long as needed for the purpose of collection. An organization must adhere to the Privacy Shield Principles for as long as it retains such information.
- Access. An organization must provide a mechanism by which data subjects may request access to personal information the organization holds about them and enable them to correct, amend, or delete information that is either inaccurate or processed in violation of he Principles.
- Recourse, Enforcement and Liability. This Principle addresses three topics: recourse for individuals affected by non-compliance; consequences to organizations for non-compliance, and compliance verification.
Individual Recourse: Organizations may subscribe to “readily available and affordable independent recourse mechanisms”— conciliation and/or arbitration services offered at no cost to the individual —to resolve complaints from EU individuals that the parties were unable to resolve on their own. Privacy Shield organizations and their independent dispute resolution body must respond promptly to inquiries and requests by the Department of Commerce, which is obligated to pass along complaints referred by EU DPAs. EU residents have the option of filing complaints directly with their local DPA, which will work with the Department of Commerce and the Federal Trade Commission (FTC) to investigate and resolve complaints. As a last resort, for complaints left unresolved by all other available mechanisms, individuals may invoke binding arbitration before a newly constituted Privacy Shield Panel, consisting of a pool of 20 arbitrators designated by the Department of Commerce and the European Commission, from which the parties will be able to select either one or three arbitrators.
Consequences for Non-Compliance: In addition to enforcement by the FTC or Department of Transportation for its own privacy violations , an organization also remains liable for its agents’ or service providers’ failure to comply with the Principles unless the organization can show it was not responsible for the event giving rise to the violation.
Compliance Verification: Organizations must verify their compliance with Privacy Shield, either through a documented internal self-assessment process or by engaging a third party verifier. Organizations must keep records of the implementation of their Privacy Shield privacy practices and make them available to enforcement agencies in the course of an investigation.
So long as an organization retains Privacy Shield data, it must affirm its compliance to the Department of Commerce on an annual basis, even if it withdraws from the framework. Alternatively, the organization must either return or delete the information, or affirm that it will provide adequate protection for the Privacy Shield data by another authorized means such as the EU standard contractual clauses.
For the complete text of the Privacy Principles and the Supplemental Principles, please visit the Department of Commerce Privacy Shield website.