What you need to know about the new EU-U.S. Agreement for Transatlantic Data Flows: Privacy Shield

On February 2, 2016, the European Commission (EC) and United States Department of Commerce agreed on a new framework for the transfer of personal data from the European Union (EU) to the United States.  This new framework, named the EU-U.S. Privacy Shield, replaces the EU-U.S. Safe Harbor Framework that was invalidated by the European Court of Justice on October 6, 2015.   Key provisions of the Privacy Shield Framework are as follows:

• Strong Obligations and Robust Enforcement: U.S. companies that commit to the Privacy Shield must commit to “robust obligations” on personal data collection and processing and guarantee individual rights.  These commitments will be published and enforced by the Federal Trade Commission (FTC).
• Clear Safeguards and Transparency Obligations: The U.S. government has provided written assurances regarding protections from indiscriminate mass intelligence surveillance on the personal data transferred to the United States.  Additionally, any access to data must be necessary and proportionate to the need for such access.
• Annual Joint Review: The EC and the Department of Commerce will conduct an annual review to monitor the functioning of the Privacy Shield.
• Effective Protection of EU Citizens’ Rights: U.S. companies will have deadlines to reply to any complaints and European DPAs can refer complaints to the U.S. Department of Commerce and the FTC.  To address complaints of access by national intelligence authorities, the U.S. agreed to establish an ombudsperson position.  To ensure redress in U.S. courts, a recently passed Judicial Redress Act has been sent to the president for his signature that would allow EU citizens to sue the U.S. government as a final resort for an alleged privacy violation.

What Happens Next?

The EC will draft an adequacy decision and will then send the decision to the Article 29 Working Party (WP29) for consideration.  The College of EU Commissioners will then need to adopt it, taking into consideration the opinion of the WP29 and consulting with a committee composed of representatives of the member states.  On the US side, the Judicial Redress Act needs to be signed by the president and an ombudsperson needs to be appointed.  All of this will likely take months.  In the meantime, it is the understanding of the Department of Commerce (DOC) that EU Data Privacy Authorities (DPAs) will suspend enforcement for Safe Harbor compliant companies until all the details are resolved and published.  The DOC recommends that currently Safe Harbor certified companies maintain their certification, renewing if necessary, until the final guidelines are published.  The DOC expects to send an email to all the currently certified Safe Harbor companies with detailed guidance about how the privacy policies need to be revised and how a company certifies EU-U.S. Privacy Shield compliant.  Those details are expected to be released the first week of March 2016.

Supported By WordPress Database Support Services