The European Commission and the United States Department of Commerce have agreed on a new framework for the transfer of personal data: the EU-US Privacy Shield. The success of the new framework will be critical to remove a major obstacle to trade for global companies in a wide range of industries.

Background 

The European Commission Directive on Data Protection (the “EC Directive”) prohibits companies in the European Union from transferring the personal data of EU citizens out of the EU, unless the country to which the data is being transferred has an “adequate” standard of protection for personal data. While there are some exceptions to this prohibition – for example, companies can enter into a contract with the recipient of the personal data containing specific privacy obligations – transferring personal data out of the EU is much easier if data privacy laws in the recipient’s country are considered adequate by the European Commission. 

The problem is that the EU’s single largest trading partner, the United States, does not have a national data privacy law. This means that companies who wish to transfer personal data of EU citizens from the EU to the US cannot freely do so. 

In the global information economy, this affects a wide range of businesses across many industries. Global internet companies like Facebook and Amazon serve EU customers from the United States. Cloud service providers operate their platforms from servers located around the world, and the US is a prime location for data centres. Global insurers may need to share information about EU policyholders with their offices outside the EU. Global businesses of all kinds need to share employee records between offices. 

The prohibition on transferring individuals’ personal data outside the EU is potentially a major obstacle to trade between the EU and the US. To address this problem, in 2000, the EU and the US agreed on the EU-US Safe Harbor scheme. 

As discussed in our previous update, the Safe Harbor scheme was recently held to be invalid by the European Court of Justice on the basis that it did not prevent or restrict US companies from sharing the personal data of EU citizens with US government agencies (to whom the Safe Harbor scheme did not apply) for national security purposes. 

The new Privacy Shield framework 

In February, the European Commission and the United States announced that they have agreed on a new framework called the EU-US Privacy Shield, which they believe remedies the problems identified by the European Court of Justice with the Safe Harbor scheme. 

While the full text of the Privacy Shield framework has not yet been published, the European Commission has indicated that Privacy Shield includes the following requirements:

  • US companies wishing to import personal data from Europe will need to commit to stronger obligations on how personal data is processed.
  • Stronger enforcement by the US Department of Commerce and the US Federal Trade Commission. The Department of Commerce has indicated it will be dedicating a special team with significant new resources to oversee compliance with the Privacy Shield framework.
  • US companies handling human resources data of EU citizens will be required to comply with decisions of European data protection authorities.
  • Access by US government authorities to the personal data of EU citizens will be subject to clear conditions, limitations and oversight, rather than the unrestricted access those authorities enjoyed under the Safe Harbor scheme. US authorities must only access personal data of EU citizens to the extent necessary and proportionate and must not conduct indiscriminate mass surveillance on that data.
  • An EU citizen who considers that their personal data has been misused under the Privacy Shield framework will have several possibilities for redress. US companies will be required to respond to complaints within a mandatory deadline. European data protection authorities will be able to refer complaints to the Department of Commerce and the Federal Trade Commission. EU citizens will also have access to alternative dispute resolution at no cost to the individual.
  • A new State Department Ombudsperson will be established to deal with complaints on possible access to personal data by US intelligence authorities.

It remains to be seen to what extent the full text fulfils these promises. In light of the European Court of Justice’s previous decision, it is likely that the Privacy Shield framework will come under close scrutiny and potentially legal challenge if it is not considered to provide sufficient protections. 

It is estimated that it will take approximately three months to put the new Privacy Shield framework into effect, though a precise implementation timeline has not yet been established. Once up and running, the EU and the US will conduct an annual joint review to closely monitor the implementation of the Privacy Shield framework. The European Commission and the Department of Commerce will conduct the review and invite national intelligence experts from the US and European data protection authorities to participate.

US Federal Privacy Council 

Also in February, the US established a new Federal Privacy Council, with the responsibility of coordinating the development and implementation of privacy policies and strategies across US federal government agencies. While the Council is only responsible for data privacy within the US federal government, it is the first federal agency in US history to specialise in data privacy. 

How does this affect me? 

The Privacy Shield framework should make it easier for global companies in many industries to serve EU customers, to offer cloud services to EU customers, and to share information about EU customers and employees globally. However, the framework also promises to substantially strengthen the requirements for US companies handling the personal data of EU citizens. Global companies with operations in the EU should monitor developments closely. Once the full text of the Privacy Shield framework becomes available, it is likely that they will need to adjust their privacy practices to meet the new requirements.