EU-US Privacy Shield Hosting
Note: While the U.S.-EU Safe Harbor framework has been repealed, the U.S.-Swiss Safe Harbor framework is still in effect. Online Tech remains in compliance with the U.S.-Swiss Safe Harbor framework.
Privacy of your information and your customer's information is paramount for us. We comply with the U.S.-EU Privacy Shield framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. We have certified that we adhere to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/Program-Overview. To view our certification, visit the list of Privacy Shield participants.
What is the EU-U.S. Privacy Shield? Privacy Shield is an update of the Safe Harbor programe framework, which was developed by the U.S. Department of Commerce in 2000 in consultation with the European Commission on Data Protection. In October 2015, this law was struck down and replaced with Privacy Shield. Privacy Shield provides many of the same assurances as Safe Harbor, but further addresses European concerns over excessive government access to data and creates a process to address individual complaints.
As a secure hosting provider with services such as cloud hosting, colocation and managed servers, we are dedicated to following Privacy Shield principles in order to comply with the data privacy laws for all European Union nations. Although businesses in Europe and the U.S. both collect and retain personal information about their customers, including social security and credit card numbers, they do have differences in their regulations and policies regarding personal data. Privacy Shield bridges this gap more comprehensively than Safe Harbor.
Privacy Shield enables U.S.-based organizations to join the Privacy Shield Framework in order to benefit from the adequacy determination it provides. It also gives companies on both sides of the Atlantic a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
The new Principles are quite similar to the original law, and with streamlined and cost-effective compliance requirements, the program benefits small and medium enterprises. Businesses can even self-certify within the framework provided by the Department of Commerce.
There are seven Privacy Shield Principles, modified from the original Principles in Safe Harbor:
- Notice – This requires organizations to notify individuals about why they collect information and use information about them. Organizations must provide contact information about how they can be reached with inquiries or complaints; the types of third parties they share information with; and their reasoning behind limiting its use and disclosure.
- Choice – Organizations must allow individuals the choice to opt out of sharing their information with a third party or if used for a different purpose than which it was originally collected. In addition, for sensitive information (including medical, racial, religious or political information), an individual must opt-in to allowing the information to be disclosed to a third party or used for anything other than its original intention.
- Onward Transfer (Transfers to Third Parties) – The first two requirements (notice and choice) must be met before disclosing information to a third party. In addidtion, the third party must provide the same level of Privacy Shield protection as the original organization. The organization that discloses information can remain liable if the third party does not process the information in a manner consistent with Privacy Shield, unless it proves it is not responsible for any event that causes damage to the information.
- Access – Organizations must allow individuals access to their personal information that is collected by the organization. They should also be allowed to change or delete the information if inaccurate.
- Security – Organizations must protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
- Data Integrity and Purpose Limitation – Organizations must take reasonable steps to ensure data is reliable for its intended use, as well as accurate, complete and current. Privacy Shield introduces language that states information collected must only be for its intended and relevant purpose. Even if an organization's certification has expired, it remains bound by this Principle when processing any data collected under Privacy Shield.
- Recourse and Enforcement – The recourse section within this Principle has changed dramatically. Privacy Shield requires organizations to set up detailed processes for handling complaints in order to be considered for Privacy Shield certification. There are three avenues of recourse: The organization itself, the European Department of Foreign Affairs or other independent group, and binding arbitration by the Privacy Shield Panel. This last option is for those who have exhausted the previous two options. The U.S. organizations that will act as watchdogs include the Department of Commerce, the Department of Transportation and the FTC. The Dept. of Commerce will have an expanded role with the new legislation, including holding periodic compliance reviews with organizations to determine any issues that warrant further action. The department will also act as a liaison with the European Data Protection Authorities.