of the countries recognized by the EU as not having an adequate level of data privacy protection. For over 15 years, a Minnesota business could qualify to transfer personal data from EU countries if it participated in the EU-U.S. Safe Harbor Program. This Safe Harbor Program is no longer available. On October 6, 2015, the European Court of Justice invalidated the EU- U.S. Safe Harbor Agreement that allowed the storage and processing of personal data of EU citizens so long as the business self-certified compliance with certain privacy policies and procedures. Privacy Shield. On February 2, 2016 the European Commission and U.S. Department of Commerce announced a new data transfer framework, the EU-U.S. Privacy Shield, to replace the invalidated Safe Harbor Agreement. The Privacy Shield included a new federal ombudsman to oversee intelligence access to EU citizen data, a multi- step complaint resolution process for EU citizens, and a number of other new provisions. The Privacy Shield was more stringent than the Safe Harbor relative to enforcement, remedies, onward transfer restrictions, certification, and notice and choice obligations. On July 12, 2016, the European Commission approved the EU-U.S. Privacy Shield Framework. The Privacy Shield consisted of 7 key principles: • Notice: An organization must inform individuals about what data it collects, the purposes for which such data is collected, and the type or identity of third parties to whom data might be disclosed. • Choice: An organization must allow individuals the opportunity to opt out of having their data disclosed to third parties or used for purposes other than those for which it was originally collected. Organizations must obtain affirmative express (opt-in) consent to disclose sensitive information (such as medical conditions, racial information, etc.) or to use such information for purposes other than those for which it was collected.
142
Made with FlippingBook - Online Brochure Maker