When you think advocacy, think of us

Quick Links

Featured Articles

Louisiana’s New E-commerce Tax Laws

FCC Proposes New Broadband Privacy Regulations

Fine Brothers: Trademarks and Branding

European Union Privacy Shield Framework

Welcome to our April 2016 Newsletter! Please take the time to read the article and contact us should you have any questions or concerns.


Law Offices of Salar Atrizadeh

EU-U.S. Privacy Shield Framework

The transfer of data is essential in today's business world. Personal data, employee's data, customer's data, and corporate data need to cross national borders at times, especially in the case of large multinational entities. The European Union, however, places a high value on the privacy of its citizens, and has restricted the transfer of data accordingly, unless an American company follows its rules. These rules are outlined in the European Union's new "EU-U.S. Privacy Shield Framework." What are these new rules? Who do they affect? How can an entity comply with them?

The new framework creates enforceable protections for European Union residents regarding the use of their personal data. American entities, that wish to participate, will have to conform to greater transparency standards in how the data is used, as well as submitting to strong U.S. oversight to ensure adherence, and increased cooperation with Data Protection Authorities ("DPAs").

The entities that wish to comply, can self-certify with the Department of Commerce, but in doing so, they will submit to the framework, and the framework will become legally binding under U.S. laws. However, certification is voluntary, but it is required to transfer data between the United States and European Union.

The first prong of the framework comes with the rights of EU citizens. Citizens will have the ability to file a complaint with the participants, and the participants will have to respond within 45 days. In addition, the participants will have to provide recourse, and will be potentially liable for privacy claims filed by EU citizens within U.S. courts. There is also a requirement that the entity submit to binding arbitration if requested by the EU citizen.

Following this, the framework details the extent to which an entity will have to comply with the EU DPAs. Prior to the self-certification, the entity will have to verify that it is in compliance with the Department of Commerce, which will follow up with organizations with lapsed self-certifications or voluntary withdrawals from the Privacy Shield. In addition, the Department of Commerce will establish a dedicated liaison with the DPAs and serve to assist them when they ask for information on an entity's participation. On that note, participants in the Privacy Shield Framework will have to respond promptly to inquiries by the Department of Commerce.

When transferring the data, the participant will have to include a privacy policy that declares its adherence to the Privacy Shield Framework to make the adherence binding, and attach a link to the Department of Commerce's Privacy Shield website, and a link to the complaint submission form. The participant is required to inform the individuals of their rights to access personal data, and in the event that the data would be transferred to a third party, the third party would be restrained by contract to ensure the data would only be processed for "limited and specified purposes" consistent with the EU citizen's consent. In essence, the permission given to the third party cannot exceed the permission given to the first party. Following this, even if a participant leaves the program, it must still protect the data that was collected while under the program.

For more information about what you can do to comply with the Privacy Shield Framework, you should consult with an attorney. At our law firm, we assist clients regarding internet, cybersecurity, and online privacy matters.

Like us on Facebook Follow us on Twitter View our profile on LinkedIn Find us on Google+ Visit our blog