vege - Fotolia

FAQ: What are the EU-U.S. Privacy Shield compliance requirements?

In this SearchCompliance FAQ, learn details about how the EU-U.S. Privacy Shield data protection requirements strive to raise consumer privacy standards.

The Privacy Shield is a framework for protecting personal data transferred from the European Union to the United States. The framework was agreed to by the European Commission and the U.S. Department of Commerce on Feb. 2, 2016, and is considered to be a stronger means of protecting data than the Safe Harbor framework that it replaces: Privacy Shield imposes more stringent obligations on U.S. businesses and other organizations while establishing a stronger enforcement scheme for the Commerce Department and the Federal Trade Commission.

Under Privacy Shield, if a company wants to transfer individuals' personal data outside of the European Union, the company must be deemed to provide "adequate" privacy protection for those individuals. The EU-U.S. Privacy Shield went into effect Aug. 1, and as of Sept. 30 more than 300 companies had signed up.

This FAQ is part of SearchCompliance's IT Compliance FAQ series.

Why was the Safe Harbor data protection framework replaced, and how do the two data protection frameworks differ?

The European Court of Justice issued a ruling on Oct. 6, 2015, that invalidated the Safe Harbor Framework and set forth new data protection requirements. The EU-U.S. Privacy Shield includes several new rules to satisfy these requirements in several areas, including those regarding notice to individuals, data retention and transferring data to third parties. Under the Privacy Shield's new data retention rule, for example, companies are allowed to keep personal data only as long as it serves the purpose for which the data was collected.

Privacy Shield's "Notice Principle" requires that companies inform individuals about a host of data protection-related matters, including its participation in the Privacy Shield; the type of personal data the company collects; the purposes for which data is collected and used; where to go with complaints or inquiries; the third parties that receive the data; and the right of individuals to access their own data.

The Privacy Shield also establishes a system to monitor compliance and ensure greater cooperation between the data protection authorities of the European Union member countries and the Federal Trade Commission.

Related Content
European Commission launches Privacy Shield to protect transatlantic data flow
Fact sheet for the EU-U.S. Privacy Shield compliance framework

How will Privacy Shield compliance be enforced, and what are the penalties for companies that sign up to participate in Privacy Shield but do not comply?

The U.S. Department of Commerce will regularly review participating companies to ensure EU-U.S. Privacy Shield compliance. Once a year, the department and the European Commission will review how the framework is functioning and the commission will issue a public report to the European Parliament and Council. The Privacy Shield is also considered a "living" framework that is continuously under review.

If EU citizens believe their data has been misused, they have several ways to pursue a resolution. If the company involved does not resolve the complaint, there is an Alternative Dispute Resolution process available at no charge to citizens. They may also bring complaints to the data protection authorities in their own countries, which are required to work with the U.S. Federal Trade Commission to make sure complaints are investigated and resolved.

If a company is found to have violated the principles established under the framework, the company can be sanctioned and removed from the Privacy Shield list.

Related Content
FAQs and overview of the EU-U.S. Privacy Shield
Information for U.S. businesses regarding Privacy Shield compliance

How does a U.S. company join the Privacy Shield, and what are the costs associated with it?
The EU-U.S. Privacy Shield is administered by the Commerce Department's International Trade Administration (ITA). U.S. companies wishing to participate must self-certify to the department and agree to abide by the framework's principles. To self-certify for the program, a company must establish a privacy policy in compliance with these Privacy Shield principles. It also must provide an independent avenue for investigating and resolving complaints at no cost to the complainant. If a complaint is received, the company has 45 days to respond.

U.S. organizations pay an annual fee to ITA in order to participate in the Privacy Shield. The fee is tiered based on an organization's annual revenue. If an organization's annual revenue is $5 million or less, the fee is $250. At the other end of the scale, companies with annual revenue of more than $5 billion will have to pay a fee of $3,250.

Related Content
Will Privacy Shield compliance help build customer-centric businesses?
The factors to consider before joining the EU-U.S. Privacy Shield

How will Privacy Shield compliance affect the U.S. government's access to data coming from the European Union?

According to the European Union, the United States offered assurances that access to data by law enforcement or national security personnel will be subject to safeguards and clear limitations. In addition, the U.S. announced that under the Privacy Shield Framework, it had "ruled out" indiscriminate mass surveillance of Personal information flowing into the country.

Related Content
After Privacy Shield approval, U.S. assures EU of end to mass surveillance
EU-U.S. Privacy Shield: A citizen's guide

Next Steps

Can International Cybersecurity Principles help avoid conflicting compliance regs?

Compliance with Court Orders Act raises questions for encrypted data

FINRA shifts regulatory focus to compliance culture

FTC warns big data analytics creates discrimination risk

Dig Deeper on Regulatory compliance reporting