EU-U.S. Privacy Shield Framework
The transfer of data is essential in today's business world. Personal data, employee's data, customer's data, and corporate data need to cross national borders at times, especially in the case of large multinational entities. The European Union, however, places a high value on the privacy of its citizens, and has restricted the transfer of data accordingly, unless an American company follows its rules. These rules are outlined in the European Union's new "EU-U.S. Privacy Shield Framework." What are these new rules? Who do they affect? How can an entity comply with them?
The new framework creates enforceable protections for European Union residents regarding the use of their personal data. American entities, that wish to participate, will have to conform to greater transparency standards in how the data is used, as well as submitting to strong U.S. oversight to ensure adherence, and increased cooperation with Data Protection Authorities ("DPAs").
The entities that wish to comply, can self-certify with the Department of Commerce, but in doing so, they will submit to the framework, and the framework will become legally binding under U.S. laws. However, certification is voluntary, but it is required to transfer data between the United States and European Union.
The first prong of the framework comes with the rights of EU citizens. Citizens will have the ability to file a complaint with the participants, and the participants will have to respond within 45 days. In addition, the participants will have to provide recourse, and will be potentially liable for privacy claims filed by EU citizens within U.S. courts. There is also a requirement that the entity submit to binding arbitration if requested by the EU citizen.
Following this, the framework details the extent to which an entity will have to comply with the EU DPAs. Prior to the self-certification, the entity will have to verify that it is in compliance with the Department of Commerce, which will follow up with organizations with lapsed self-certifications or voluntary withdrawals from the Privacy Shield. In addition, the Department of Commerce will establish a dedicated liaison with the DPAs and serve to assist them when they ask for information on an entity's participation. On that note, participants in the Privacy Shield Framework will have to respond promptly to inquiries by the Department of Commerce.
For more information about what you can do to comply with the Privacy Shield Framework, you should consult with an attorney. At our law firm, we assist clients regarding internet, cybersecurity, and online privacy matters.