We explain to you what the EU-U.S. Privacy Shield is all about.
You are a European company and now want to gain a foothold in the USA?
Should personal data of your customers be transferred from the EU to the USA? Then, at the latest now, you should consider whether the EU-U.S. Privacy Shield might be the right legal basis for the transfer of data to the US for your company.
The EU-U.S. Privacy Shield is a data protection agreement between the European Commission and the U.S. Department of Commerce that governs the transfer of personal data from the EU to the United States. Since 12.07.2016, this has been regarded as the successor model to the Safe Harbor Agreement, which has been declared ineffective, and above all aims to achieve better protection of the privacy of European consumers and to increase transparency with regard to the collection, use and sharing of data. The advantage for American companies is that they can immediately prove that European data protection standards are adhered to in the company by means of a public certification under the Privacy Shield.
At the same time, the new Privacy Shield regulations also lead to an extensive need for action on the part of participating American companies, as various data protection regulations must be adhered to.
What do I need to know about Privacy Shield?
First of all, it is necessary to certify yourself for the Privacy Shield at www.privacyshield.gov and to ensure that you accept and comply with the Privacy Shield Principles. Once this has been done, it is now necessary to pay particular attention to the extensive information obligations that Principle I of the Privacy Shield provisions prescribes. This information shall be made unmistakable and clearly recognisable to the customer. This includes the types of data collected and the purpose for which the data was collected. In addition, whether a disclosure to third parties takes place and if so, for what purpose. In this context, the possible liability of your company must also be clarified if data is passed on to third parties not named or if the third party itself uses the data incorrectly. The consumer shall also be informed of his right of access to the data, of his right to choose the purpose for which the data may be used and of his right to correct or update the data collected. In addition, your company must have an independent dispute settlement mechanism in place and communicate it to the consumer.
In addition to these, there are other information obligations and internal company requirements that you as an American company must fulfill. Violation of these principles can lead to complaints from consumers as well as to official or court orders and, as a result, to substantial fines.
What does a company have to inform to participate in the EU-U.S. Privacy Shield?
In order to participate in the EU-U.S. Privacy Shield, the following information must be kept clearly visible:
- their participation in the privacy shield with a link to the privacy shield list or the web address of this list,
- the types of personal data collected and, where appropriate, the organisation’s entities or subsidiaries which also comply with the Principles,
- its obligation to apply the principles to all personal data received from the EU on the basis of the data protection notice,
- the purpose for which it collects and uses personal data about you,
- how to contact the organisation in the event of queries or complaints, including information on a relevant EU body that can respond to such queries or complaints,
- the category and identity of third parties to whom the data will be disclosed and the purpose of the disclosure,
- the right of individuals to have access to their personal data,
- the ways and means it makes available to private individuals to restrict the use and disclosure of their personal data,
- the independent Dispute Settlement Body designated to handle complaints and provide free redress to the individual, and whether it is 1) the body set up by data protection authorities, 2) an EU-based alternative dispute resolution provider, or 3) an US-based alternative dispute resolution provider,
- the investigative and enforcement powers of the FTC, Department of Transportation or any other authorized U.S. agency applicable to the organization,
- the possibility of initiating binding arbitration under certain conditions,
- the provision to disclose personal data upon legitimate request by public authorities in order to comply with national security or law enforcement requirements, and
- the liability of the organisation in the event of disclosure to third parties.
It is therefore particularly important to seek advice from an expert on this complex subject from the outset and not to take any risks.
We have already certified and advised well-known companies such as TeamSpeak Systems Inc. for the EU-U.S. Privacy Shield and therefore know exactly what is important.
Our attorney Stephan Hendel and the entire Gabler and Hendel law firm will be pleased to answer any questions you may have. We are also happy to take on the self-certification and the preparation of a legally compliant Privacy Shield declaration for you.