Sorting out GDPR and Privacy Shield
GDPR is a new law system governing data privacy for the European Union and participating countries. Privacy Shield is a data privacy system governed by the FTC in the United States.
This page is primarily concerned with Privacy Shield, but some GDPR info is also included (since the two systems overlap).
Notice: This is not legal advice on this page. This is a collection of information gathered onto one page for your review according to your interest in this subject. As always, use appropriate legal counsel when conducting your legal affairs.
COST FOR PRIVACY SHIELD CERTIFICATION:
Fee rate: see the screen shot below:
Certification only lasts one year
 There are additional rules that have to do with human resource issues if someone is an employee in the European Union. That is not the focus on this page.
 There are rules used for purposes of marketing data collection. This is a separate issue within Privacy Shield and not the main focus on this page.
 There are exceptions made for certain kinds of businesses to alleviate the problems of implementation. To see if your business falls into that category, consult the list of Journalistic Exceptions - https://www.privacyshield.gov/article?id=2-Journalistic-Exceptions
What Privacy Shield is
PRIVACY SHIELD is meant to supercede the old Safe Harbor program.
PRIVACY SHIELD performs the purpose of meeting requirements from the European Commission’s adequacy decision. Privacy Shield is meant to enable USA organizations to receive personal information from the EU.
PRIVACY SHIELD is a response to European Union law called the GDPR - General Data Protection Regulation - here's the EU web page about that https://gdpr-info.eu/
The jurisdiction of this issue in the United States falls under FTC (Federal Trade Commission) control and pertains to PRIVACY SHIELD and not GDPR (which is an issue of the European Union and participating countries).
How this is a matter to do with web sites:
PRIVACY SHIELD is meant to provide "CHOICE" to the web site visitor and person interacting with a site through e-mail or any other form of data collection - see: https://www.privacyshield.gov/article?id=2-CHOICE
A random example of implementation
An example of a web site certified with Privacy Shield, with their required notice of involvement with Privacy Shield on their site:
How their participation is listed with privacyshield.gov on the government list:
A legal notice of limitation about privacy shield:
"They are intended for use solely by organizations in the United States receiving personal data from the European Union for the purpose of qualifying for the Privacy Shield and thus benefitting from the European Commission’s adequacy decision.1 The Principles do not affect the application of national provisions implementing Directive 95/46/EC (“the Directive”) that apply to the processing of personal data in the Member States. Nor do the Principles limit privacy obligations that otherwise apply under U.S. law." https://www.privacyshield.gov/article?id=OVERVIEW
ERIK: I understand this to mean that privacy shield does not cover privacy requirements that are issued by, for example, California, which has created its own internet Privacy Regulations, or any other individual state that may be creating regulations. [The website TECH CRUNCH has an overview of the California privacy laws which take effect next year techcrunch.com]
Privacy Shield Legal Trouble:
"An organization’s failure to comply is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. § 45(a)) or other laws or regulations prohibiting such acts."
ERIK: The page states that if a business has privacy shield and loses its certification, it will be listed online on the list of failed businesses. So once a business joins they have to keep up their certification yearly, or they must meet the regulations for withdrawal from Privacy Shield - see section F on this page:
Organizations are obligated to apply the Principles to all personal data transferred in reliance on the Privacy Shield after they enter the Privacy Shield.
The main requirements:
Anything pertaining to identifying an individual: "any data that relates to or can be used to identify someone"
A person's name, IP number used to access the website, e-mail addresses
Information types covered: personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual (see privacyshield.gov/CHOICE )
A person has to be informed that consent is required for a website to collect any information and provide the reason why it is being collected.
Any information that is stored has to be known to the person who provided it.
A web site/ business organization must strictly control the information collected and store it and especially important, it must be "protected" such as encrypted and kept from any non-legal access.
If the data is lost or stolen, then the FTC must be notified within 72 hours and also the persons whose data is involved must be notified.
The data collected can only be used for the reasons originally stated to the person providing the information.
Any person who requests their personal data held by the web site / business organization will have it provided to them in a download that makes it portable for them to receive and then move as they wish.
Breaching of the requirements allows governments involved to issue fines for the infractions.
Parental consent required for any persons under 16.
More about Permissions / Consent
Anyone visiting the a website must be told what information is being collected, and how it is used. This policy would be on a PRIVACY SHIELD notice page (see this random example https://www.alarm.com/legal/privacy-shield-policy)
The visitor must "opt in" to the web site for any data collection, and that their consent is needed must be clearly and distinguished from any other matter. This notice of choice must be intelligible and easily accessible form, in clear and plain language (i.e., not in "legalese").
It must be as easy to withdraw consent as it is to give it.
GPDR infractions can mean a company is sanctioned up to 4% of the annual worldwide turnover or fined up to €20 million (the higher of the two), per infringement (this is European jurisdiction) but seems to cover any interactions with any EU citizen or business)
For USA liabilities page under PRIVACY SHIELD look at: https://www.privacyshield.gov/article?id=7-RECOURSE-ENFORCEMENT-AND-LIABILITY
Things to do to your WEB SITE
1. Encryption of all the web traffic (HTTPS)
2. Use an SSL Certificate (this is sometimes provided gratis by a hosting company)
3. Appointing a Data Protection Officer (DPO) also called the data "Controller" (Someone at your business organization) This person is the one who also deals with complaints or disputes and is in contact with the required 3rd party resolution service : https://www.privacyshield.gov/article?id=7-RECOURSE-ENFORCEMENT-AND-LIABILITY
[Here's 2 examples of a 3rd party resolution specialists https://www.trustarc.com/ and https://www.verasafe.com/privacy-services/dispute-resolution/ - - - for an example of cost, verisafe shows a charge of $750 a year to act as a 3rd party resolution service]
4. Meet all the permission requirements
5. Set up the opt in / opt out forms on the website
6. The information is kept at the business organization in the ways required: protected under lock and key by the data controller (or "DPO") in an encrypted format that can be readily accessed so that if any persons asks for their information it can be provided to them. Here are the "ACCESS PRINCIPALS" that have to be met:
The response time requirement is vague:
"Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay."
7. To complete the self certify actions (see below) and to either use a 3rd party to verify or to SELF-VERIFY that actions have been met (see below)
To self-certify for the Privacy Shield, an organization must provide to the FTC a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information:
- i. name of organization, mailing address, e-mail address, telephone, and fax numbers;
- ii. description of the activities of the organization with respect to personal information received from the EU; and
- 2. its effective date of implementation;
- 3. a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield;
- 4. the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Principles or a future annex to the Principles);
- 5. name of any privacy program in which the organization is a member;
- 6. method of verification (e.g., in-house, third party) (see Supplemental Principle on Verification; and
- 7. the independent recourse mechanism that is available to investigate unresolved complaints.
See the FTC Page : https://www.privacyshield.gov/article?id=6-Self-Certification
There are two methods for verification:
1. Self-assessment approach (section C on this page)
2. Outside compliance review (section D on this page)
List of actions:
- i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
- ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
- iii. its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield,
- iv. the purposes for which it collects and uses personal information about them,
- v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints,
- vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
- vii. the right of individuals to access their personal data,
- viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
- ix. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,
- x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body,
- xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,
- xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
- xiii. its liability in cases of onward transfers to third parties.
Getting help with Privacy Shield