In “Electronically-signed Contracts Enforceable?,” I addressed the implementation of new e-signature requirements in Europe. Those requirements are part of wide-ranging changes in E.U. law. The newest, and perhaps most important, of these changes for ecommerce companies is the adoption of the E.U.-U.S. Privacy Shield framework, which was approved earlier this month by E.U. member states.
Starting August 1, 2016, ecommerce stores can take advantage of the new framework. It allows U.S. companies to again collect personal information from E.U.-based consumers without fear of liability.
The E.U. is an opt-in society. Consumers must provide explicit consent to the collection and use of their personal or personally identifiable information. Since 2000, U.S. companies could self-certify —by filing paperwork with the U.S. Department of Commerce — that they provide adequate safeguards in collecting and storing the personal information of E.U. residents.
In October 2015, however, an E.U. court struck down the prior safe harbor framework because, in light of the revelations of Edward Snowden (the ex-C.I.A. employee who disclosed classified data), the court believed that the framework did not provide adequate protections for the personal information of E.U. residents. This made large, U.S.-based ecommerce retailers nervous and otherwise opened the doors to potential liability.
Privacy Shield Framework
Now, under the new Privacy Shield framework, ecommerce companies can again protect themselves from liability for their collection and use of personal or personally identifiable information from E.U. residents. The new framework does the following.
- Requires that companies provide more information to users on the collection and use of personal information, including that the companies are participating in the Privacy Shield and that disputes as to the use of their private information can be submitted to arbitration.
- Increases protection of personal data that is transferred from a Privacy Shield co-operating company to a third party. The transferring party must take reasonable steps to ensure that its third party contractors, such as email list processors, use the personal information in a manner that is consistent with the Privacy Shield.
- Companies cannot over-collect information. Instead, they can only collect information that is specifically relevant to the intended and disclosed use.
- Companies must certify with the U.S. government that they will continue to apply the principles of the Privacy Shield even if they leave the program.
- Companies must establish a point person to quickly respond to privacy-related complaints.
- Companies must make public any compliance or assessment reports that they have been required to submit to the U.S. Federal Trade Commission.
Perhaps one of the more interesting aspects of the Privacy Shield is that, to take advantage of it, companies must agree to arbitrate any privacy-related claims. Though the new Privacy Shield framework allows E.U. citizens to sue U.S. companies in U.S. court for privacy violations, this new arbitration mechanism provides for a cheaper and quicker resolution to privacy-related claims, which is intended to extend rights to less wealthy E.U. citizens.
Additionally, if an E.U. resident submits a complaint to the data protection authorities in the E.U., the U.S. Department of Commerce must review the complaint and respond to the E.U. data protection authority within 90 days.
If your ecommerce company collects personal or personally identifiable information from E.U. residents, and if it did not take advantage of the prior safe harbor, now is the time to become compliant. And now, with the new dispute resolution procedures available to E.U. residents, compliance is even more important than it was under the prior framework.
Compliance is also far more complex this time around. Consider contacting an attorney for an assessment of your risk and an outline of a path to compliance.