What is the EU-U.S. Privacy Shield?
Privacy Shield update as of July 2020
The EU-US Privacy Shield has been declared invalid following a ruling by the Court of Justice of the European Union.
What does that mean for firms having email data checked if the data includes email addresses of European nationals? It means that personal data of European nationals may not legally be processed outside of Europe in the USA, by companies relying on the Privacy Shield as a way to comply with EU data processing and privacy laws. The Privacy Shield is no longer acceptable as a safeguarding standard for personal data processing. Companies may need to change data processing partners in order to ensure data about European individuals is not passed to the USA for processing.
Email Hippo and the new Privacy Shield ruling
Email Hippo is based in the United Kingdom. All our servers are in Europe and no data passes outside Europe for processing. This means that all our processing is compliant with the ruling and it is business as usual.
Our full compliance and international quality and security compliance terms are here. Any data processing queries can be directed to our Data Protection Officer; firstname.lastname@example.org.
This is a Privacy Shield explanation for readers who don't want to get bogged down in legal jargon.
You'll find links to more technical and detailed explanations at the foot of this article. If that is your thing, please scroll down and tuck in. If not, read on.
The EU-U.S. Privacy Shield is the framework that enables firms to transfer personal data legally from the European Union to the United States. Firms in the USA that move personal data from Europe into the USA are invited to voluntarily participate and join the Privacy Shield Program.
It came into existence in July, 2016, replacing the 'Safe Harbour' framework that had been doing the job previously.
There is a separate Swiss-U.S. Privacy Shield Framework that covers transferring data from Switzerland to the USA. That came into existence in January 2017.
Why does the EU-U.S. Privacy Shield exist?
Basically, to help the digital economy grow, to improve trade and to increase security.
Back in 2012, The European Commission raised concerns about the security of personal data of European Union citizens being transferred to the USA. The European press reported on areas of disagreement between legislative attitudes to protecting personal data. The prevailing attitude was that in Europe, data privacy laws were more stringent than in the US.
The European Court of Justice rejected the existing 'Safe Harbour' framework. Stories about social-media data storage and transfer, preceded news of subsequent US eavesdropping activities. This did little to help create a feeling of 'common ground.' In fact Facebook ended up in court in Ireland, so it's fair to say the governments weren't seeing eye to eye on this one.
Does the EU-U.S. Privacy Shield affect Email Hippo?
No. Email Hippo is a UK company so we don't need to participate in the Privacy Shield.
But we thought you might want to know more about how we deal with personal data that is uploaded to our servers for validating. Especially as many of our customers are companies in the USA, so they might be familiar with Privacy Shield participation.
We have servers in the cloud in Europe, stacking, moving and returning results to our customers. We deliver fast results by using intelligent caching and data routing.
Is an email address personal data?
Personal data is essentially information that is designed to be processed and can identify a living individual.
Can an email address on its own identify a living individual? Yes? No?
Obviously role based email addresses can't identify a living individual, email@example.com gives no personal information. But what about firstname.lastname@example.org? That's personal.
So that's why we take personal data privacy very seriously. Every email uploaded to our service could be personal data. From time to time customers send us extraordinary amounts of personal data that is far and above simple email addresses. In the interests of security, compliance and frankly, just good manners, we have created a framework of extremely secure best practise that we adhere to.
That framework begins with our ISO 27001 and ISO 90001 certification. Our information and security management systems are certified to this internationally recognised compliance level.
Part of our security protocol requires us to select suppliers that are also secure, and audit them regularly.
We deal with data, safe in the knowledge that we are operating within a secure framework, compliant with the most stringent data law levels on the planet.
You can trust us with your data.
If personal data security is important to you and you'd like more information, please contact our Data Protection Officer email@example.com