The Privacy Shield entered into force on 1 August 2016 and refers to a protective shield for the sending and transfer of data between the United States and the European Union for companies listed in an American registry. To benefit from the protective shield, companies subject themselves to the American Department of Commerce’s Privacy Principles.

The companies adhering to the Privacy Shield commit to multiple obligations. When personal data is exchanged between European and American companies, binding contractual rules must be complied with. A company commits to complying with and protecting the rights of users through its confidentiality policy while preserving the users’ right to information on the type of data collected and on the purpose for which it is collected. Users must be informed of the transfer of that data to another company and know the reasons for such transfer. The company must ensure the security of the data it collects and transfers by using a secure environment to avoid the loss, abuse or destruction of that data.

When personal data is collected, companies may not divulge that data to other companies without the user’s prior agreement. If the purpose is connected but different from the initial request, the company may not use or divulge the data to other companies without the user’s consent.

Moreover, a company adhering to the Privacy Shield must permit users to access their data to modify, correct or delete it.

In case of a violation of the Privacy Principles by companies, users may file a petition for reparation or, in case that fails, request arbitration to settle the dispute.