Different tools, such as contractual clauses, binding corporate rules and the Privacy Shield, are available for companies wanting to transfer personal data from the EU to the US.
If the Privacy Shield is used, US companies must first sign up to this framework with the US Department of Commerce. The obligation applying to companies under the Privacy Shield are contained in the 'Privacy Principles'. The 'Privacy Principles' lay out a set of requirements governing participating organisations’ use and treatment of personal data received from the EU as well as the access and recourse mechanisms that participants must provide to individuals in the EU. The 'Privacy Principles' are:
- Accountability for onward transfer
- Data integrity and purpose limitation
- Recourse, enforcement and liability
The US Department of Commerce is responsible for managing and administering the Privacy Shield and ensuring that companies live up to their commitments. They ensure that companies' privacy policies are adequate, as well as removing any companies from the list which no longer meet the requirements.
The EU-US Privacy Shield provides for:
- strong data protection obligations on companies receiving personal data from the EU
- safeguards on US government access to data
- effective protection and redress for individuals
- an annual joint review by EU and US to monitor the correct application of the arrangement
American companies that want to handle the personal data of EU citizens must register on the Privacy Shield List and self-certify that they meet all the requirements including the minimum data protection standards. This must be repeated annually.
European citizens who believe their data has been misused by a US company can take the following steps:
- Lodge a complaint with the company
- Take the complaint to the relevant US authority (eg Department of Commerce or Federal Trade Commission)
- Use Alternative Dispute Resolution (ADR) which should be provided free of charge by the company
- Appeal to the Privacy Shield Panel