Privacy Shield Update

Higher Education|Not-for-Profit|Technology

By Chris Debo

The European Commission approved a new data-sharing engagement with the United States, known as the EU-US Privacy Shield, in July 12, 2016. The aim of Privacy Shield is to provide a safer data-sharing climate for all Europeans.  The data transfer agreement enables nearly 2,000 companies to transfer personal data from EU citizens to the U.S., without breaching European privacy rights.  This comes after the fallout of Safe Harbor, an agreement that stood for almost 15 years, following leaks about direct privacy during the Edward Snowden mass surveillance exposure of 2013.

Privacy Shield and Safe Harbor vary only slightly, with one major component: an upgrade to data transfers to third parties. If a U.S. company wishes to transfer data from the EU, Privacy Shield requires that the third party provide the same protection levels as the original company. Privacy Shield has made a stronger commitment to the individual rights of EU citizens, citing stronger protections for personal data provided in data transfers.  

Critics claim that Privacy Shield still does not do enough to protect the rights of Europeans, with the primary concern being the U.S. government data tracking and surveillance. Digital Rights Ireland (DRI), a privacy rights organization, has recently filed suit against the European Commission, stating concerns for “areas of freedom, security, and justice” and pursuit for “actions of annulment”.  DRI is the same group that brought down Safe Harbor in 2014 amid concerns of US surveillance efforts.

Presidential Policy Directive No. 28 (PPD-28), an Obama administration reform that extended privacy protections to foreigners, is considered by many to be critical to Privacy Shield’s survival. But it is unclear whether the Trump Administration will take any direct or indirect action that could jeopardize the Directive.


The U.S. Department of Commerce has listed the following principles that must be adhered to in order to comply with Privacy Shield:

  1. Notice - Organizations must provide notice to individuals that they are participants in Privacy Shield, as well as any potential third-party sharing that the organization may participate in.

  2. Choice - Organizations must offer an easily accessible opt-out program if individuals wish to not participate. Sensitive personal data must be “opted-in” by the individual in order to share with anyone.

  3. Accountability - Companies choosing to distribute data are now liable if the third party fails to uphold the standards of Privacy Shield.

  4. Security - The firm must have taken adequate security measures in order to protect sensitive information from being destroyed, hacked or lost.

  5. Data Integrity - Organizations must take measures to limit data collection to relevant information only. Information gathered while under certification is always subject to these principles, even after certification has ceased.

  6. Access - Individuals must be given ability to obtain the data obtained by organizations at all times. These individuals have the right to change, delete or alter their information how they choose.

Updates from Safe Harbor

The United States has established an Ombudsman mechanism, independent of national security services, to investigate and respond to potential violations. Complaints by individuals now have maximum response times; a company will have 45 days to resolve any dispute by an individual.

What does this mean for your business?

Companies are not required to sign themselves up. In fact, companies complete their own self-certification process, meant to ensure that companies adhere to the framework’s principles. After agreeing to the Privacy Shield guidelines, participation becomes public knowledge, and companies face fines of $21,842,000 or up to 4% of worldwide gross income if found guilty of not adhering to the Framework.  Previously, companies would need to demonstrate their compliance with Safe Harbor on an annual basis. Privacy Shield guidelines agree to allow regulators to test, at any time, for compliance. Companies found guilty of violating these terms may be publicly identified by the Federal Trade Commission.

For more information, contact Schneider Downs or read similar articles on the Our Thoughts On blog.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.