How to Prepare for the EU-U.S. Privacy Shield Framework: Giving Adequate Notice

Post Date: 06/15/2016
feature image

The European Union-United States (EU-U.S.) Privacy Shield framework was designed by the U.S. Department of Commerce and European Commission to provide companies in both countries with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the U.S. during transatlantic commerce. At the center of this new framework are enhanced requirements for companies to:

  • Fully disclose their data privacy and protection practices
  • Provide transparency, choice and consent to their customers
  • Implement safeguards and controls around the collection, holding, protection, and transfer of personal data.

While the current fate of the Privacy Shield is still in flux (as EU Data Protection Agencies recently expressed concerns about whether it is “strong enough” to fully protect the privacy of EU citizens), it’s likely that it will come into effect if not in its current form, then one that is even stronger. As is, Privacy Shield does impose some enhanced and even new obligations of which organizations must become aware. This post will focus on the concept of “Notice.”

What does Notice mean under the Privacy Shield framework?

The definition of a “Privacy Notice” is: “A statement made to a data subject that describes how the organization collects, uses, retains, and discloses personal information.” (Reference(s) in IAPP Certification Textbooks: F16; US16-18, 37; G95-97, 100) Privacy Shield participants must provide individuals, in clear and conspicuous language, with notice of:

  • The organization’s participation in Privacy Shield
  • The type of data collected
  • The purposes for which the data is collected

Individuals also must be informed of:

  • Any third parties to which their data will be transferred
  • The requirement to disclose personal information in response to lawful request by public authorities
  • Which enforcement authority has jurisdiction over the organization’s compliance with the framework
  • The organization’s liability in cases of onward transfer of data to third parties

Finally, the organization must describe available recourse mechanisms and acknowledge the enforcement authority of the U.S. Federal Trade Commission (FTC) or other statutory bodies. A Privacy Shield participant must include in its privacy policy a declaration of the organization’s commitment to comply with the Privacy Shield Principles so that the commitment becomes enforceable under U.S. law.

What does this mean for you?

So what does this mean to your organization? Don’t leave your policies to chance or luck. Privacy Shield requires that you not only create policies that meet its mandate, but that you operationalize those policies and be able to prove that you’ve done so. Plain language privacy policies provide clear and effective communication of complex and important information to people with basic education. Clear writing and effective presentation can help promote consumer understanding and save a company time and money. When a participant’s privacy policy is available online, it must include a link to the Department of Commerce’s Privacy Shield website and a link to the website or submission form for the independent recourse mechanism that investigates individual complaints. Close review and ongoing monitoring of company website privacy policies and data collection and tracking mechanisms will be more important than ever before.

How to create the privacy policy that’s right for you

How do you create policies that actually reflect what your organization does? It requires your privacy team to understand not only a day in the life of their business counterparts, but also how data is collected, created, and flows within and outside of the organization. Whether data is generated by and within your organization or collected from a third party (customer, vendor, partner, other), the only way you can effectively protect it is by understanding it. What is the data? Does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information (PII), protected health information (PHI), or financial data? This list goes on quite extensively. Of course, all companies create and hold sensitive data. There is nothing wrong with it at all. But only once you know what it is, where it is, who can access it, and who has accessed it can you make decisions about where it should live. Start by taking the time to understand what kinds of data your business handles and uses as well as how your co-workers are using your internal systems in their day-to-day jobs. Understanding the “day in the life” of your colleagues will help you understand why and how they need to handle protected data in the course of their daily work. The time you invest in understanding their requirements will pay off in spades as you will be able to craft solutions that meet their needs and your obligations. Privacy and security risk management intersect with other data lifecycle management programs within your company. Combining these related areas will allow you to better optimize resources and risk management for information assets to support responsible, ethical, and lawful collection, use, sharing, maintenance, and disposition of information.

5 key considerations for your privacy policy

To better integrate privacy and security with your ongoing data management practices and build the right policy, I recommend keeping these five considerations in mind:

  1. Contemplate how data is created or collected by your company. You should think about excessive collection, how you will provide notice (to individuals) about that collection, provide them with appropriate levels of choice, and keep appropriate record of that collection and creation.
  2. Think about how you are going to use and maintain this data. Here you should consider inappropriate access, ensure that individuals choices are being properly honored, address concerns around a potential new use or even misuse, consider how to address concerns around breach, and also ensure that you are properly retaining the data for records management purposes.
  3. Consider who (and with whom) this data is going to be shared. You should take into account data sovereignty requirements and cross-border restrictions along with inappropriate, unauthorized, or excessive sharing.
  4. Know that all data has an appropriate disposition period. You should keep data for as long as you are required to do so for records management, statutory, regulatory or compliance requirements, and ensure you are not inadvertently disposing of it. At the same time, as long as you have sensitive data, you run the risk of breach.
  5. Understanding the difference between what can be shared and what should be shared is always the key. A good program must continually assess and review who needs access to what types of information. Privacy pros should then work with their IT counterparts to automate controls around their enterprise systems to make it easier for employees to do the right thing than the wrong thing or simply neglect the consequences of their actions. Once you’ve implemented your plan, be sure that you maintain regular and ongoing assessments.

Trust is something that businesses must work to establish with their customers every day. Once lost, it is very difficult to regain. Consumers have the power to applaud companies that provide proper attention to these matters on their web sites with their purchasing power, and by supporting brands that they respect. At the end of the day, Privacy Shield in some measure is helping to make this mandatory by insisting that participating organizations maintain transparency with their customers about their data protection practices. Notice is the first step in that process.

What’s next?

To learn more about how you can prepare for the Privacy Shield framework, sign up for our EU-US Privacy Shield Guide. Get additional resources – including white papers and exclusive blog posts – to make sure your organization is on the right track. Social Media Banner_Privacy Shield_Campaign_Facebook


Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities. Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School. LinkedIn: Twitter:

View all posts by Dana S.

Subscribe to our blog