The E.U. is an opt-in society. Consumers need to provide explicit consent to the collection and use of the personal or personally identifiable information. Since 2000, U.S. companies could self-certify –by filing paperwork with the U.S. Department of Commerce — which they provide sufficient safeguards in collecting and storing the personal information of E.U. residents.
In October 2015, however, an E.U. court struck down the prior safe harbor framework because, in light of the revelations of Edward Snowden (the ex-C.I.A. worker who disclosed classified data), the court thought that the framework didn’t provide sufficient protections for the private information of E.U. inhabitants. This made big, U.S.-based ecommerce merchants worried and opened the doors to possible liability.
Privacy Shield Framework
Now, under the new Privacy Shield framework, ecommerce providers can again shield themselves from liability for their collection and use of personal or personally identifiable information from E.U. residents. The new framework does the following.
- Requires that firms provide more information to users about the collection and use of personal information, such as that the organizations are engaging in the Privacy Shield and that disputes regarding the use of their personal information can be submitted to mediation.
- Increases protection of private data which is moved from a Privacy Shield co-operating firm to another party. The moving party must take reasonable actions to make certain that its third party contractors, such as email list processors, use the private data in a manner that’s consistent with the Privacy Shield.
- Businesses cannot over-collect information. Instead, they could only collect information that is especially pertinent to the planned and disclosed use.
- Businesses must certify with the U.S. government which they will continue to apply the principles of this Privacy Shield even if they leave the program.
- Businesses must establish a point person to rapidly respond to privacy-related complaints.
- Businesses must make public any compliance or evaluation reports which they’ve been required to submit to the U.S. Federal Trade Commission.
Possibly one of the more intriguing facets of this Privacy Shield is that, to make the most of it, companies need to agree to arbitrate any privacy-related claims. Although the new Privacy Shield framework enables E.U. taxpayers to sue U.S. companies in U.S. court for privacy violations, this new arbitration mechanism provides for a more economical and faster resolution to privacy-related claims, which is meant to extend rights to less wealthy E.U. taxpayers.
Furthermore, if an E.U. resident submits a complaint to the data protection authorities in the E.U., the U.S. Department of Commerce must review the complaint and respond to the E.U. data protection authority within 90 days.
If your ecommerce provider collects personal or personally identifiable information from E.U. residents, and when it didn’t make the most of the prior safe haven, now’s the time to become compliant. And today, with all the new dispute resolution processes available to E.U. residents, compliance is much more significant than it had been under the prior frame.
Compliance is also a lot more complicated this time around. Consider contacting a lawyer for an evaluation of your risk and a summary of a route to compliance.