Tom Colgan, Director of Cyber Security, Pilgrim Quality Solutions
As we come up on the first year anniversary of EU commission adoption of EU-U.S. Privacy Shield framework, I wanted to take a few minutes to discuss Privacy Shield and its evolution. EU member states approved EU-U.S. Privacy Shield on July 8, 2016, followed by EU Commission adoption on July 12, 2016. The U.S. Department of Commerce started taking applications for EU-U.S. Privacy Shield on August 1, 2016. Since that time, over 2,000 business entities have submitted the proper registration requirements and been approved as EU-U.S. Privacy Shield certified per the published list on the Privacy Shield website.
Privacy Shield, the intended replacement for Safe Harbor, is a framework established to allow for exchange of data between the European Union and United States. One aspect of the framework enables U.S. companies to more freely receive and/or process personal data of EU citizens.
Certifying downstream data protection measures.
While participation in the Privacy Shield framework is voluntary for U.S.-based companies, organizations have previously been sued for allegedly failing to secure consumer information, unlawfully collecting consumer information, and failing to secure internet-connected devices used to store personal information. Choosing to participate, as has Pilgrim Quality Solutions, is a responsible choice.
In order to comply with the EU-U.S. Privacy Shield, organizations must adhere to the following Principles:
- Notice: An organization must inform individuals about its participation in the Privacy Shield.
- Choice: An organization must offer individuals the opportunity to choose (opt out) whether their personal information is to be disclosed.
- Accountability for Onward Transfer: To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles.
- Security: Organizations creating, maintaining, using, or disseminating personal information must take reasonable and appropriate measures to protect it.
- Data Integrity and Purpose Limitation: Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing.
- Access: Individuals must have access to personal information about them that an organization holds, and be able to correct, amend, or delete that information.
- Recourse, enforcement, and liability: Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed.
Bridging inter-continental compliance gaps.
Since the adoption of the EU-U.S. Privacy Shield framework, the Swiss government adopted the Swiss-U.S. Privacy Shield framework on January 11th, 2017. U.S. Department of Commerce registration for the Swiss-U.S. Privacy Shield certification opened on April 12th, 2017. Switzerland, although not a member of the European Union, has very similar data privacy laws, and thus has a very similar Privacy Shield framework. A few of the minor differences include the reporting structure of the recourse, enforcement, and liability principle. Additionally, the Swiss definition of sensitive data includes ideological views or activities, information on social security measures, or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
Another item to note is that on April 6th, 2017 the European Parliament adopted a resolution on the adequacy of the protection afforded by the EU-U.S. Privacy Shield. This leads me to believe that when representatives from the U.S. and EU meet in September 2017 for the first annual joint review of the EU-U.S. Privacy Shield, we can expect to see some changes to the framework.
Bolstering border-to-border protection.
Pilgrim Quality Solutions is committed to working with its partners and customers to protect the data of all people regardless of residency. We support the EU-U.S. and Swiss-U.S. Privacy Shield and have certified in compliance with the framework.
Information Security Summary
This white paper details the security controls that Pilgrim has put in place to ensure information security.