For many years, technology outpaced policy when it came to standards and protections around ownership of and access to personal data. Privacy policies are not set by governments but rather by technology companies that created the digital world as it is experienced today. Many if not all of the dominant players in this space are American technology companies that include Alphabet (i.e. Google), Apple, Amazon, Facebook and Microsoft. These companies have more say about a user’s online life than any individual local, state or national government.
Increasingly, the only way a government can control the web is to block it entirely or block access to a specific channel. For example, in June, Algeria blocked access to Facebook, Twitter, and other social media sites because high school exam papers were being posted online. European governments have actively tried limit the reach of tech companies through antitrust legislation and privacy regulations. European attitudes and policy quickly became adversarial following revelations from Edward Snowden that United States intelligence agencies were actively spying on people worldwide, including leaders of other countries.
European Privacy Protection
Europe and America approach privacy differently. While privacy, in America, is desired but not guaranteed, in Europe it is a fundamental right, similar to our freedom of expression. So strong are European privacy protections that even when newsworthy, after a period of time, a European citizen can petition a tech company to be removed from its service under the “right to be forgotten and to erasure” legislation.
From “Safe Harbor” to E.U.-U.S. Privacy Shield
On July 12, 2016, Europe and America signed a treaty establishing a mechanism that permits digital information to move freely between the European Union and the United States, known as the E.U.-U.S. Privacy Shield. The new Privacy Shield replaces the “Safe Harbor” program invalidated by the European Court of Justice last fall because, according to the ECJ, the Safe Harbor did not fully adequately safeguard the privacy rights of EU citizens with respect to US government surveillance.
The “Safe Harbor” program was born out of a data protection directive issued by the European Union in 1998 where US companies would self-certify that they would comply with EU data protection standards in order to permit data to transfer between the EU and US. The “Safe Harbor” program did not apply to the US government.
The principles of the E.U.-U.S. Privacy Shield are more stringent than those required by the Safe Harbor provisions, and align closely with the heightened requirements of the EU’s new General Data Protection Regulation (GDPR).
The Privacy Shield only governs data as to individuals living in European Union countries and does not apply to individuals living in the United States or anywhere else in the world.
The key components of the Privacy Shield are:
A. Self-certifying as Privacy Shield compliant with the US Department of Commerce (DOC);
This self-certification process of the new Privacy Shield framework is similar to that of the Safe Harbor provision. To assist companies with the certification process, the US Department of Commerce (DOC) has released a “Guide to Self-Certification”.
B. Develop a privacy policy that conforms to the Privacy Shield;
Among other things, the privacy policy should reflect the organization’s information handling practices and the choices the organization offers individuals with respect to the use and disclosure of their personal information.
C. Publicly commit to the Privacy Shield Principles;
This public declaration may be made in the company’s privacy policy or elsewhere if appropriate (such as within the company’s “Legal” section on the website) – so long as the attestation is available to the general public. Doing so enables the same enforcement principles that existed in the Safe Harbor provision, allowing the Federal Trade Commission to take enforcement action under its Section 5 authority over unfair and deceptive acts and practices.
The Privacy Shield Principles consist of seven principles for assuring the adequate protection of personal data. These principles mirror those set out in the Safe Harbor framework, but extend beyond what was previously required, and align closely with the heightened requirements of the GDPR.
- Notice
- Choice
- Accountability for onward transfer/vendor agreements
- Security
- Data integrity and purpose limitation
- Access
- Recourse, enforcement and liability
D. Annually re-certify compliance with the DOC;
E. Provide free independent dispute resolution to EU individuals; and
F. Be subject to the authority of the US Federal Trade Commission (FTC), US Department of Transportation (DOT) or other enforcement agency.
G. Yearly review of the agreement.
Conclusion and Criticism of New Agreement
The new Privacy Shield framework imposes greater obligations upon organizations and their vendors than existed under the Safe Harbor framework. In the context of the rights accorded to individuals, these new requirements mirror those set out in the GDPR. The Privacy Shield also includes detailed mechanisms for resolving disputes and providing recourse for individuals whose rights have been violated. Based on these increased obligations, organizations intending to certify to the Privacy Shield will want to update their policies around notice, choice, access, onward transfers, and recourse, as well as reviewing their standard vendor agreements, even if they have already met the Safe Harbor Principles.
The European Court of Justice struck down the original “Safe Harbor” program following a legal challenge in 2015 over concerns that the U.S. mass surveillance program meant that European data was not being protected. Many people, including Max Schrems, the original plaintiff in the “Safe Harbor” challenge case, still believe the new agreement does not protect EU citizen’s privacy and continues to create an unstable business environment for companies doing business in Europe. For now, at least, the Privacy Shield is in place.
* * *
Reference Chart: How does the Privacy Shield differ from the Safe Harbor provisions?
Principle | What has not changed: | What is new: |
---|---|---|
1. Notice | Data subjects must be informed when their personal data is collected and notified of, amongst other things:
|
Several new notice requirements including:
|
2. Choice |
|
No material changes |
3. Accountability for onward transfer/vendor agreements |
|
|
4. Security |
|
No material changes |
5. Data integrity and purpose limitation |
|
No material changes |
6. Access |
|
No material changes |
7. Recourse, enforcement and liability | Organizations must have mechanisms in place to:
|
Under the Privacy Shield, Organizations will be required to:
|