Demystifying the Privacy Shield
The EU US Privacy Shield requires that companies select an independent recourse mechanism to assist EU citizens in reconciling any complaints about privacy. This article reviews just what an independent recourse mechanism is, and the key considerations around how to select the RIGHT one for your organization.
If you don’t know what an independent recourse mechanism is, then you should start by learning more about Privacy Shield here.
What is an Independent Recourse Mechanism?
Under the text of the Privacy Shield framework, U.S. organizations receiving personal data from the EU must commit to providing:
(i) recourse for individuals to whom the data relate; (a)(ii) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true; and (a)(iii) obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organizations.
This is where an independent recourse mechanism comes in to play. Independent recourse mechanisms are really just processes that are designed to enable compliance with the requirements listed above. These independent recourse mechanisms are really just processes that are administered by data protection authorities (DPAs), which are also sometimes referred to as recourse providers or independent recourse providers. It is necessary to select and independent recourse mechanism provider to comply with Privacy Shield.
Needing to comply with GDPR as well? Learn more about how Whistic can help:
The two types of independent recourse mechanism providers
There are two basic types of independent recourse providers:
- US based private recourse providers
- EU Data Protection Authorities (DPAs)
Companies seeking to comply with the Privacy Shield can select either, or both — so which should you choose? There are some VERY important legal ramifications to consider when choosing, as well as costs that are involved in either case. Additionally, in some cases, companies are actually obligated to utilize EU DPAs as their independent recourse mechanisms.
There are some VERY important legal ramifications to consider when choosing
US based private recourse providers
You may select a US based recourse provider for anything that is NOT related to human resources data (HR data includes any personal data you collect as an employer about your employees or contractors). These recourse providers are US based businesses that have decided to provide their independent recourse mechanisms as paid services. It is important to note that there is NOT a certification or approval process for becoming a recourse provider — a company can simply declare themselves as such and begin providing the service.
there is NOT a certification or approval process for becoming a recourse provider — a company can simply declare themselves as such.
It is also important to note that there are some differences in the ways that various recourse mechanisms provide their services. This variety exists because Privacy Shield has only loosely defined the activities that need to be performed, leaving a substantial amount of room for interpretation. This has led to some independent recourse mechanisms providing more services than are necessary and charging a substantial amount for those unnecessary services, preying upon the lack of understanding that is pervasive about this complicated piece of legislation. Be careful not to overpay for those unnecessary services.
EU Data Protection Authorities
There is a good reason to NOT choose the US based recourse providers, and it is that you MUST select the EU DPAs for human resources data being transferred to the US (remember, human resources data specifically deals with your companies own employees or contractors). If your company is processing both HR and Non-HR data, however, you only have to use the EU DPAs for the HR data, meaning you can still select a US based independent recourse mechanism for your non-HR data.
you can still select a US based independent recourse mechanism for your non-HR data
Registration with the EU DPAs does not need to take place before you register for the Privacy Shield, because it is built into the self-certification form. While US based independent recourse mechanisms have all selected different pricing models, there is a flat $50 fee for selecting the EU DPAs (payable here). The important consideration here is that if you select an EU DPA, then you will be held to EU legal standards in the event of legal action.
I’ve selected a recourse mechanism, now what?
- The independent recourse mechanism passes judgement as to whether the citizen’s complaint actually violates the Privacy Shield principles.
- If it is determined that there is a violation, and the company will not resolve the complaint (a VERY serious matter), then the independent recourse mechanism will inform the International Trade Administration, as well as the Federal Trade Commission or Department of Transportation, (depending on who has jurisdiction) and an investigation will be started.
Located in the heart of the Silicon Slopes in Utah, Whistic is a leading vendor assessment platform built for companies focused on protecting data and proactively managing security reviews. Whistic enhances evaluation of third-party vendor networks while improving the process of gathering, sending, receiving, and storing assessment information; thereby promoting mature vendor risk management programs. Whistic’s automated, streamlined platform also reduces the manual, time consuming effort that is typically synonymous with performing and responding to security reviews.
Whistic is designed for an intuitive, collaborative user experience from initial vendor onboarding to ongoing assessment, and harnesses the wisdom of hundreds of security professionals to consistently deliver risk insights through its patent-pending CrowdConfidence scoring algorithm. For more information visit http://www.whistic.com, read the latest on the Whistic blog or follow Whistic on Twitter @Whistic_Inc.