By adhering to the core principles of: notice; choice; security; accountability for onward transfer; data integrity and purpose limitation; access; and recourse, enforcement and liability, your company is indicating that you place great value on data privacy protection and will make every effort to respect European and Swiss individuals’ requests regarding use of their personal information.
These Privacy Shield principles pertain to the personal information that your company transfers from the EU or Switzerland to the United States. Personal information is defined as information that directly identifies an individual – name, address, telephone number and similar identifying information. Below is a chart highlighting the principles and new requirements under the Privacy Shield framework. You can click on each privacy principle to learn more about it or visit the Department of Commerce. To learn more about the Swiss Privacy Shield, review Department of Commerce’s FAQ.
||To disclose that an organization adheres to principles/framework and states what information collection, sharing, access, opt-out, enforcement and security measures are in-place.
||New: Requires links to DOC Shield participant list and dispute provider website; disclose new ability for individuals to pursue binding arbitration if other mechanisms fail; disclose that you may share PI for lawful requests or national security; and liability in onward transfers to third parties.
||Provide consumers with the opportunity to opt-out or opt-in (sensitive information) depending on the nature of the data.
Set-up appropriate procedures to respect consumers’ opt-out/opt-in requests particularly with respect to consumers’ requests to not be approached for direct marketing (i.e., in-house suppression system.)
Opting-out should not require consumers to incur any fee or expense beyond a first-class stamp or phone call.
Opt-in for sensitive information: medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.
|Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice.
An organization must offer individuals the opportunity to choose to (opt out) whether their PI is to be disclosed to a third party or to be used for a materially different purpose.
Choice is not required when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of organization. However, an organization shall always enter into a contract with the agent.
Definition of sensitive information is same as safe harbor.
|Accountability For Onward Transfer
||Determine the need for contracts with respect to the transfer of information to third parties.
You must ensure that if information is disclosed to agents or subcontractors that they will agree to abide by the safe harbor principles. You should only transfer data to third parties consistent with the notice and choices you have given the consumers.
Any agents of yours who handle or process your data, such as your service bureaus, must themselves either be subject to the EU Directive or be members of the safe harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data.
|Same overall themes but participating company now has liability in cases of onward transfer of data to third parties.
Any onward transfer, can only take place for: 1) limited and specified purposes; 2) must have a contract or comparable arrangement within corporate group and 2) only if contract provides same level of protection as the one guaranteed by the Principles – and is limited to the extent necessary to meet national security, law enforcement & other public interest purposes.
This applies to any third parties regardless of location (within or outside U.S.)
Additionally, upon request by DOC, must provide a summary or a copy of relevant contract privacy provisions entered into with its agent.
||Organization must take reasonable and appropriate measures to protect data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
||Same general principles.
In instances, where organization uses sub-processor – they must enter into contract guaranteeing same level of protection as Principles and take steps to ensure proper implementation.
|Data Integrity and Purpose Limitation
||Ensure that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes.
Your company should not process data that are not relevant to the purpose for which they were collected, unless subsequently authorized by the consumer.
|Must limit personal information to the information relevant for the purposes of processing.
Must comply with new data retention principle.
||You must provide customers the ability to access PI being maintained by the company and the ability to correct, amend or delete it where it is inaccurate or processed in violation of the Principles (based on a sliding scale principle – the obligation to provide access to information increases where its use is more likely to significantly affect the individual).
|Recourse, Enforcement and Liability
||Take reasonable steps to ensure that any consumer privacy concern will be addressed by:
- referring consumers to your customer service department or other in-house dispute resolution program;
- subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints. (DMA provided this service for 15 years); and
- having appropriate monitoring, verification and remedy procedures in place.
|The independent dispute resolution service should be readily available and at no cost to consumer. (DMA never charged consumers for this service.)
New available remedy for EU individuals is binding arbitration – individuals must pursue other mechanisms first such as contacting:
- company directly;
- independent dispute provider; and
- then may pursue binding arbitration.
No monetary damages allowed under binding arbitration. Binding arbitration seeks to resolve an individual complaint.
Binding arbitration will not be available yet under Swiss Privacy Shield – process will be created at annual review meeting between U.S. & Swiss government.
For EU Privacy Shield a separate complaint process — consumers may also contact appropriate DPA and then DPA resolves complaint or works with DOC to resolve complaint. No binding arbitration under this scenario.