An article I wrote in French about the U.S.-E.U. Privacy Shield Framework, De la sphère au bouclier : qu’est-ce que le Privacy Shield ? has just been published by the Information, données & documents review.
The E.U. does not find the U.S. to have an adequate level of protection, as required by the Data Protection Directive. Therefore, U.S. companies wishing to transfer personal data to the European Economic Area (EEA), which includes the European Union (EU) and also Iceland, Liechtenstein and Norway, must implement a valid transfer mechanism.
Among these mechanisms are the Binding Corporate Rules (BCRs), which are internal rules a multinational group of companies may adopt to define its global policy regarding international transfers of personal data within the corporate group.
Companies may also implement Standard Contractual Clauses (SCCs). The E.U. Commission has issued two sets of such clauses, one for transfers from data controllers to data controllers established outside the EU/EEA, and one for the transfer to processors established outside the EU/EEA.
Companies used to be able to self-certify to the U.S.-EU Safe Harbor Framework, negotiated by the U.S. Department of Commerce (DoC) and the EU Commission. Self-certified companies which voluntarily agreed to respect the Safe Harbor principles and the Safe Harbor frequently asked questions were deemed to comply with E.U. data protection law when transferring personal data from the EU to the US. However, on October 6, 2015, the European Court of Justice declared the Safe Harbor Framework invalid. The U.S. and the E.U. Commission then engaged in negotiations to reach a new agreement which would allow transatlantic personal data transfer. The Privacy Shield was adopted on July 12, 2016 and became operational on August 1, 2016.
If a company wishes to participate in the Privacy Shield, it must publicly declare its respect for the Privacy Shield Principles, as stated in the Privacy Shield ‘Notice’ Principle.
Therefore, these companies must have a privacy policy which complies with the Privacy Shield Principles. The DoC will regularly review the policies of self-certified companies to ensure that they follow these principles. Failure to do so may lead to sanctions and removal from the Privacy Shield list. Therefore, having a Privacy Shield-compliant privacy policy is of the utmost importance.
Privacy Shield Principles:
1. Notice
2. Choice
3. Accountability for Onward Transfer
4. Security
5. Data Integrity and Purpose Limitation
6. Access
7. Recourse, Enforcement and Liability
Privacy Shield Supplemental Principles:
1. Sensitive Data
2. Journalistic Exceptions
3. Secondary Liability
4. Performing Due Diligence and Conducting Audits
5. The Role of the Data Protection Authorities
6. Self-Certification
7. Verification
8. Access
9. Human Resources Data
10. Obligatory Contracts for Onward Transfers
11. Dispute Resolution and Enforcement
12. Choice – Timing of Opt-Out
13. Travel Information
14. Pharmaceutical and Medical Products
15. Public Record and Publicly Available Information
16. Access Requests by Public Authorities
Image is courtesy of Flickr user Riley Kaminer under a CC BY 2.0 license.
by 
