Customer Data Security Part 3: Privacy Shield and Engaging Consumers in the EU

standing on bridge in european city


[Estimated read time: 7 minutes]

One of the biggest consumer privacy events of this year was the release of the new EU/US Privacy Shield agreement. This installment of our Consumer Data Security Series will give you some background on the agreement, what it entails, and how to comply with it.

What is the EU Privacy Shield?

Historically, the main governing program around consumer privacy between Europe and the United States was something called the EU/US Safe Harbor Agreement. It provided guidance to the US business community regarding the handling of European consumer data. It also established a framework for sharing consumer data between EU countries and the United States.

In 2015, after a number of high profile breaches in the US, the EU Commission essentially cancelled this agreement with the United States. Beyond the breaches, another reason for Safe Harbor being dropped was that it lacked the “teeth” it needed for real enforcement. This cancellation caught many US companies off-guard, and after a number of very confusing months, a new model was agreed upon: Privacy Shield. This new framework expanded upon a number of areas of privacy compliance and required a higher degree of diligence on the part of US regulatory organizations, as well as consumer companies.

Privacy Shield introduced a series of updates regarding how businesses would need to interact with EU consumers and manage their personal data. It also added an element of recourse for European citizens and the gave them better control over how and where their information was being used. In the simplest terms, it acts as a “Bill of Rights” for consumer privacy and a framework for enforcing those rights.

While the previous Safe Harbor agreement provided guidance on these matters, it still left little in terms of monitoring, oversight, and penalties for those who didn’t follow the rules. Like any other compliance programs, for it to be effective, it needed a set of comprehensive controls and a level of clarity for everyone involved.

The 7 Principles of Privacy Shield

Towards the goal of clarity, a set of guiding principles was established that form the foundation of the framework. They are embodied in the 7 Principles of Privacy Shield:

  1. Notice – Letting the consumer know what they are getting themselves into when they share their information with your company
  2. Choice – Providing the consumer an opportunity to “opt-out” at any phase of their relationship with your organization
  3. Accountability for onward transfer – Limiting how you share the consumer’s data with business partners and in the event of a merger or acquisition in your company
  4. Security – Taking proper measures to protect the consumer’s information
  5. Data Integrity and Purpose Limitation – Ensuring that the consumer’s information is correct and up to date as well as limiting your use of that data to what you agreed to in your notice statement
  6. Access – Providing a method for the consumer to access their data, review the information and have it removed entirely if they desire
  7. Recourse, Enforcement, and Liability – Establishing and maintaining a channel for the customer to communicate and escalate their complaints with the addition of penalties for a breach of policy

While many of these concepts were part of Safe Harbor, the main difference now is that there are specific mechanisms for the consumer to gain more control over their information and clearer ways for the consumer to voice complaints when their information is misused.

For example, there are requirements for the governing US bodies to actively monitor and enforce the Privacy Shield regulations. The process is more active and less passive. This means that as a consumer-oriented business, you’ll need to have your house in order ahead of time. Audits and inspections are a real possibility. 

Also, there is a clearer path for the consumer to escalate their issues and concerns. As a company doing business in the EU, you’ll have to provide a line of communication to the consumer and appoint a dedicated Compliance Officer as a point of contact. You’ll still need to engage a third party arbitration organization such as the Better Business Bureau (BBB) or TRUSTe as a point of escalation, but there is more clarity about how any US governing body, the Federal Trade Commission in most cases, will act a final point of redress. Finally, there are also stronger enforcement controls in place with specific financial penalties when a business is deemed in breach of Privacy Shield’s requirements.

What does Privacy Shield mean for your business?

So how does this impact your business in terms of engaging consumers in Europe? There are a number of areas where you’ll need to invest in resources, business processes, or technology. To successfully fulfill your obligations, you’ll want to review a few critical areas of your operation:

Appointment a formal Compliance Officer – In addition to being a requirement of the new framework, this really is the only way you are going to efficiently meet your obligations and do so in a manner that doesn’t end up creating a lot of confusion among your business units. There is a lot of legal interpretation and cross-team coordination required to be successful, you’ll need a “hub” role of sorts to keep it all straight.

Engage your Arbitration Partner early – This is a newly released compliance framework, and even in the first few months a number adjustments have been made in what is considered to be best practice. Your Arbitration Partner (i.e. the BBB or TRUSTe) is front and center in this process as it evolves and they can save you a lot of time and expense while you navigate the early stages of this program.

Review your Data Flow and Repositories for Consumer Data – With this new regulation, there is a lot of control being offered to the consumer regarding their data. You’ll have to provide mechanisms to keep the information current and correct. You’ll also need to put in place really clear points for opting in or opting out, and record any acknowledgements you receive from the consumer. In addition, there are far-reaching implications, sometimes years down the road, when it comes to engaging data processing partners, third party call centers, and even in the case of mergers and acquisitions. Your technology has to be able to track, update and/or remove this data at any point in the consumer lifecycle.

Shore up your Business Partner agreements – You’ll need to review all of your related business partner agreements to ensure that they are also “on the hook” when it comes to handling consumer data. The language must be formalized and in writing to ensure there is a clear understanding of how any consumer information is going to be handled and that your partner is living up to their part of the Privacy Shield requirements.

This is, of course, an extremely high level overview and there are a number of nuances that require deeper discussion. Some of this may sound pretty overwhelming; however, by arming yourself with the right information and engaging good partners to help you navigate the process, it can be done — and the impact to your business and consumer relationships can be greatly minimized. 

In my own experience, once you review the requirements and develop the right strategy, you can meet your commitments without too much expense or complexity. It really comes down to good planning and how well you’ve maintained your compliance strategy all along. Most consumer brands have been dealing with some form of privacy compliance for years now, and this one follows many of the same lines. It just requires good organization and leadership… like most things in the business world.

In our next article, we’ll talk a bit more about the tactical side of compliance and try to shed some light on how to simplify the modern business ecosystem of people, process, technology, and partnerships.