EU-U.S. Privacy Shield AdoptedBy: Faith Kasparian
July 15, 2016
The European Commission Has Adopted and Launched the EU-U.S. Privacy Shield
Earlier this week, the European Commission adopted the EU-U.S. Privacy Shield - a new framework for transatlantic data flows. The European Commission’s Press Release announcing the Shield promises that the new framework “protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States” and brings “legal clarity for businesses relying on transatlantic data transfers.”
The EU-U.S. Privacy Shield replaces the Safe Harbor framework, which previously governed data transfers between the EU and the U.S. until it was declared invalid by the Court of Justice of the European Union on October 6, 2015. On February 2, 2016, the EU and the U.S. reached political agreement as to the new Privacy Shield. The European Commission’s “adequacy decision” implementing the Privacy Shield was approved on July 12. See our prior Alerts on this subject here and here.
The principal elements of the EU-U.S. Privacy Shield include:
“Strong obligations on companies handling data.”
The new arrangement imposes robust standards on companies handling data – including with respect to onward transfers of data to third parties. The U.S. Department of Commerce will conduct regular reviews to ensure compliance with these standards. Companies that do not comply will be subject to sanctions and removal from the list.
“Clear safeguards and transparency obligations on U.S. government access.”
The U.S. has agreed that the access of public authorities for law enforcement and national security is “subject to clear limitations, safeguards and oversight mechanisms.” The U.S. Secretary of State has created an Ombudsperson mechanism to address complaints associated with national intelligence.
“Effective protection of individual rights.”
Any citizen who believes that his or her data has been misused under the Privacy Shield will have access to affordable dispute resolution mechanisms – including through EU Data Protection Authorities, who will work with the Federal Trade Commission and/or Department of Commerce to resolve complaints and, as a last resort, through an arbitration mechanism.
“Annual joint review mechanism.”
The European Commission and the U.S. Department of Commerce – drawing on national intelligence experts from the U.S. and European Data Protection Authorities – will monitor the functioning of the Privacy Shield. In particular, the review will monitor the commitments regarding access to data for law enforcement and national security purposes.
Next Steps in the U.S.
The Privacy Shield will be published in the U.S. Federal Register, and the U.S. Department of Commerce will put the Privacy Shield into operation. Companies who choose to certify to the Privacy Shield will need to review the framework and update their policies to comply with the Privacy Shield. Companies will be able to certify with the U.S. Department of Commerce beginning August 1, 2016.
The privacy and data security team at Morse, Barnes-Brown & Pendleton is pleased to assist you in understanding the impact of these issues on your business. Please contact Faith Kasparian, Michael Cavaretta, or Howard Zaharoff to learn more.
The author would like to acknowledge the contributions to this article by and give thanks to Liz Bitar, Northeastern University School of Law (NUSL) 2017.