Menu
Five things you need to know about the EU-US Privacy Shield agreement

Five things you need to know about the EU-US Privacy Shield agreement

The Privacy Shield isn't yet in effect, but it could soon be providing privacy protection when EU citizens' personal information is transferred to the U.S.

The Privacy Shield agreement is intended to guarantee the personal information of European Union citizens the same privacy protection when processed in the U.S. as it would receive at home. Where these guarantees are not available, the information must stay in the EU.

Privacy Shield replaces the earlier Safe Harbor agreement, which was torn up by the Court of Justice of the European Union last October because it did not provide adequate protection.

Like its predecessor, Privacy Shield require U.S. businesses wishing to process EU citizens' personal information to self-certify that they will comply with a certain number of principles.

Privacy Shield was little more than a name when the European Commission announced the agreement on Feb. 2, but on Monday it fleshed out details of its negotiations with U.S. authorities.

Here are five things businesses need to know about the Privacy Shield principles

1. Signing up is voluntary; compliance is compulsory

Signing up to Privacy Shield is voluntary but if a business does not sign up, it can not process EU citizens’ data in the U.S. Once a business has signed up, compliance with the principles is compulsory and can be enforced by the U.S. Federal Trade Commission.

Participating companies must publish -- and respect -- their privacy policies. Those that don't keep their promises may be sanctioned or excluded from the Privacy Shield agreement. The U.S. Department of Commerce will publish a list of companies that have signed up, and another of those that have been excluded.

2. National security still trumps Privacy Shield

Where the Privacy Shield principles conflict with U.S. national security or law enforcement needs, you can forget Privacy Shield. Article 5 of the agreement says: "Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b)
by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations."

3. Mass surveillance is still allowed

Even though its openness to mass surveillance of EU citizens' communications and online activities was one of the things that brought down Safe Harbor, such surveillance activities are still allowed under Privacy Shield. The EU's fact sheet claims that "U.S authorities affirm absence of indiscriminate or mass
surveillance," but U.S. documents forming part of the agreement claim nothing of the sort. The U.S. still allows itself to perform bulk surveillance for six purposes: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to U.S. or allied armed forces, and combating transnational criminal threats, including sanctions evasion.

4. Businesses will have 45 days to reply...

If an EU citizen complains about the treatment of their personal information under Privacy Shield, companies will have 45 days to reply their complaint. If the reply doesn't bring satisfaction, the complainant can have recourse to a number of other resolution mechanisms, including a free alternative dispute resolution service and their own national privacy regulator.

5. ... but it hasn't started yet

The European Commission jumped the gun in announcing Privacy Shield on Feb. 2, as many of the written promises from the U.S. on which the agreement depends did not arrive for another three weeks. On Feb. 29 the Commission published those documents, along with a draft "adequacy decision," the legal instrument by which Privacy Shield's provisions will be declared equivalent to the protections offered by EU law.

The draft adequacy decision is still open to challenge by the governments and data protection authorities of the EU's 28 member states, and must be reviewed annually to ensure that all parties are still respecting the undertakings on which it is founded. If they aren't, then in theory it can be suspended.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments