In an effort to balance the needs of multinational companies and European Union citizen’s right to privacy the United States and European Union are working together to craft an EU-U.S. Privacy Shield to facilitate the transfer of the personal data of Europeans by multinational companies. Prior to this agreement companies such as Facebook and Google used the Safe Harbor agreement, the predecessor to the new Privacy Shield, to handle European citizens’ data, but that agreement was ultimately struck down by the European Court of Justice over concerns of U.S. spying in October 2015.
After the Safe Harbor agreement was struck down, companies were forced to continue such transfers, but found themselves out of compliance with European law and open to enforcement actions from member states of the European Union. In fact, Germany’s data protection authority took steps to begin to sanction any transfers of personal data which was based solely on the Safe Harbor. The Privacy Shield, a response to this uncertainty, would provide a regulatory mechanism to legally handle European citizen’s data. This agreement has been crafted between the European Commission and Obama administration and the terms of the agreement of the agreement have been recently been announced.
The agreement identifies Privacy Principles that each organization that registers with the Shield to do business must abide by. The Privacy Principles provide a framework for the transfer of European Union citizen’s data and requires:
- Notice – Organizations transitioning to the Privacy Shield must declare compliance with the Privacy Shield and must revise their privacy policies to notify individuals of new details;
- Choice – Participating organizations must implement mechanisms that provide data subjects with varying levels of choice regarding the use and disclosures of their data;
- Accountability for Transfers To Third Parties Such as Vendors – The permissible conditions for onward transfers to any third parties have been tightened and the Shield holds participating organizations responsible for the conduct of third parties that the data is forwarded to. This principle also effectively requires mechanism for oversight of these third parties by requiring organizations to: i) take steps to ensure the processor handles the data in accordance with the Privacy Principles; and ii) remediate any unauthorized processing by the processor;
- Security – Participating organizations must demonstrate “reasonable and appropriate” data security measures;
- Data Integrity and Purpose Limitation – Data must be relevant and reliable for its intended purpose and accurate, complete, and current. An organization cannot process personal data in a way incompatible with why it was originally collected without consent;
- Access – Data subjects must be provided access to the personal data processed about them, and must be afforded an ability to correct, amend, or delete their personal data;
- Recourse Enforcement and Liability – The Privacy Shield has required robust mechanisms to ensure compliance with these principles. These include, but are not limited to:
- Independent dispute resolution bodies must be appointed to resolve individual complaints, provide recourse, and sanction noncompliant organizations.
- Organizations must self-certify compliance with these privacy principles and they must also meet annual verification requirements through self-assessment outside compliance reviews.
- The U.S. government has provided written assurances that any access for national security purposes will be subject to limitations, safeguards and oversight mechanisms, preventing generalized access to personal data.
- Complaints have to be resolved by companies within 45 days.
The Privacy Shield was reviewed by the Article 29 Working Party, an advisory group that acts independently to evaluate the protection of individuals with regard to the processing of personal data and the free movement of such data. This review yielded mixed results in what is considered to be a barometer of the deals viability in court. The review indicated that while the Privacy Shield is a substantial improvement over prior agreements, the Privacy Shield still allows the U.S. too much leeway to carry out surveillance. It is unclear if the Privacy Shield will continue as drafted or will face further revisions in light of the Article 29 Working Party’s reviews. There is concern that the more than one half of a trillion dollars that depends on transatlantic data flows will be at risk if an agreement is not made.