This week during the Ignite 2016 conference in Atlanta, Microsoft said that it is the first global cloud service provider to appear on the Privacy Shield list. That means the personal data Microsoft transfers across the Atlantic must abide by the European Union (EU) data protection requirements. The Privacy Shield framework went into effect on July 12, and replaces the older mechanism used to transfer data between the EU, Switzerland, and the United States.
“The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce,” the Privacy Shield site states.
The previous platform used to transfer data was called the International Safe Harbor Privacy Principles. These were created by the U.S. Department of Commerce, the EU, and the Federal Data Protection and Information Commissioner of Switzerland in 2000 to protect the personal data of EU/Swiss citizens passed to and from the United States.
Safe Harbor was based on seven principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. Essentially, individuals must be notified if their data is collected, and they must have an option to opt out of the collection process. Data transfer must adhere to certain standards, data must be secured, data must be reliable and relevant, and data must be accessible by the owner. All of this must be enforced in the process.
However, Safe Harbor was overturned by the European Court of Justice in October 2015. The decision led to consumer complaints about the protection of their data, which then ignited new talks between the EU and U.S. authorities to establish a new foundation. That’s where the new Privacy Shield platform begins.
“Microsoft’s participation in the Privacy Shield applies to all personal data that is subject to the Microsoft Privacy Statement and is received from the European Union, European Economic Area, and Switzerland,” Microsoft states. “Microsoft will comply with the Privacy Shield Principles in respect of such personal data. Microsoft also maintains an affirmative commitment to the U.S.-Swiss Safe Harbor Framework and its principles, which will not be affected by our participation in the Privacy Shield.”
Companies wanting to jump on the Privacy Shield bandwagon must meet specific requirements. They must inform individuals about data processing, provide free and accessible dispute resolutions, cooperate with the Department of Commerce, maintain data integrity and purpose limitation, and ensure accountability for data transferred to third parties. Transparency related to enforcement actions is required as well along with a commitment to protect data as long as the data is held.
The Privacy Shield program is administered by the International Trade Administration (ITA), which is part of the U.S. Department of Commerce. In order for American companies to join, they need to publicly agree to the platform’s principles and self-certify to the Department of Commerce. Joining the Privacy Shield platform is completely voluntary.
In addition to Microsoft, Dropbox has also jumped under the Privacy Shield umbrella. The cloud-based storage company received Privacy Shield certification on September 23, which will expire a year from that date. Dropbox also said that it is one of the first major cloud service providers to achieve the ISO 27018 certification, a standard for cloud and privacy data protection honored around the globe.