The EU-U.S. Privacy Shield Framework was negotiated by the U.S. Department of Commerce and European Commission to provide non-European companies with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the U.S. The agreement is critical to promote continued transatlantic commerce.
In response to this important development, Connectiv and SIIA held two recent events to clarify the stakes involved and how it affects publishers in particular: an in-depth webinar hosted by Carl Schonander, SIIA’s senior director, international public policy; and a Digital Media Council meeting with a summary by David LeDuc, SIIA’s senior director, public policy, and comments from publishers heavily involved in the ramifications of the Framework. The latter can be accessed here.
Any firm offering products and services in the EU that transfers personal data back to the United States needs to comply with EU and Member State law. A firm might collect information on customer preferences as a result of selling publications to EU citizens—that information is considered personal. A key requirement is that even companies that do not have a physical presence in Europe must have a legal mechanism in place to transfer data.
"The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals and businesses on both sides of the Atlantic,” said U.S. Secretary of Commerce Penny Pritzker. “We have spent more than two years constructing a modernized and comprehensive framework that addresses the concerns of the European Court of Justice and protects privacy.”
Here are some key conclusions from the two SIIA events:
- Companies need to ensure they respond to inquiries on time—automated responses are probably okay to begin with but real contact information has to be provided.
- The new Shield, like the previous Safe Harbor, is a self-certification model, which is big advantage for firms.
- Legal needs to be involved in your decision-making process—along with someone who knows your business side, data and customers. This doesn’t lend itself to really simple decisions. You might want to form a team.
- CEOs need to be more informed about this, as well as employees.
- It may be worthwhile for companies to assess whether they want to use binding corporate rules or standard contractual; clauses. In most cases, companies are going to probably stay under the privacy shield regime, which is ultimately more efficient and less expensive for small and medium-sized companies.
- Companies need to think about whether they should voluntarily submit themselves to DPA authority—the commission encourages this. Sometimes it is unavoidable, with respect to HR data, but it is not generally mandatory.
In the DMC presentation, Carrie Gardenhire, senior director, audience marketing, for PennWell, explained how they have dealt with the new Shield.
“With 30-plus publications and 30-plus events around the world, we’re always gathering magazine subscribers, email newsletter subscribers, white paper email addresses, event attendees, etc., so we have to be very much in tune with this.
“The next step [has been] translating what this all means for PennWell. That is my role in audience marketing—to have the intimate knowledge of our business processes, how we’re using our audience data, how we’re targeting that list, and to make sure we reach that next stop in the audience journey.
Gardenhire continued, bringing up the important concept of onward transfer. “Does onward transfer apply to PennWell? Yes it does. What does that mean? That means we share a file with a third-party vendor that does telemarketing for us.”
She added that they have to treat the shield in a lowest common denominator way, meaning any possible sharing of information must be determined. “That is what we set our business processes around. It’s not reasonable to treat people differently in regard to country. Do we have to change some of our business processes? We’ll sit down with our legal team [to determine that]. Do we have to change technologies, the way we pull lists? We have to make sure we’re having those conversations.”