- The U.S. and European Union (EU) have reached an agreement regarding international data transfers, shortly after the deadline set by both parties.
- The new framework, known as the EU-U.S. "Privacy Shield," is designed to improve commercial oversight and enhance privacy protections.
- It is estimated that it will take approximately three months to put the new Privacy Shield agreement into effect, though a precise implementation timeline has not yet been established.
The U.S. and European Union (EU) reached an agreement regarding international data transfers, shortly after the deadline set by both parties. The parties had been in negotiations since the Court of Justice of the European Union's (CJEU) invalidation of the former EU-U.S. Safe Harbor Framework in October 2015. The new framework, known as the EU-U.S. "Privacy Shield," is designed to improve commercial oversight and enhance privacy protections. EU Commissioner Vera Jourová stated that the European Commission has permitted the preparation of the "adequacy" agreement that would declare that the new framework meets the requirements under EU law for protecting the privacy and data security of European citizens.
Privacy Shield Provisions
Although the Privacy Shield was approved by the College of Commissioners, it must still earn the approval of another EU Committee, comprised of representatives of the Member States. As the agreement currently stands, it requires the U.S. Department of Commerce (DOC) to actually monitor – and the Federal Trade Commission (FTC) to actually enforce – that companies' data practices comply with the agreement. The DOC said it will be dedicating a special team with significant new resources to oversee compliance with the Privacy Shield. The U.S. and the EU will review the international structure annually.
The Director of National Intelligence (DNI) has also provided written assurances to the EU that the U.S. government will use EU personal data only for purposes that are "necessary and proportionate," and the U.S. Intelligence Community has demonstrated to the European Commission the multiple layers of constitutional, statutory and policy safeguards that apply to its operations, with active oversight provided by all three branches of the U.S. government. The agreement also includes a specific mechanism by which EU individuals can inquire about signals intelligence activities.
The issue of "redress" for any European who feels as if his or her data has been abused will be handled by a newly created State Department Ombudsman position. The adjudication of each complaint will only be specific to that individual – not to all Europeans generally – and companies will have mandatory deadlines by which they must reply to individual complaints. EU individuals will also have access to alternative dispute resolution at no cost to the individual. Additionally, the Member States' Data Protection Authorities (DPAs) now have the ability to refer complaints directly to the DOC and FTC.
While acknowledging the difficulty of the ongoing negotiations during the past several months, U.S. Commerce Secretary Penny Pritzker expressed satisfaction with the new arrangement, noting that it will "protect consumer privacy while supporting commerce between the United States and the EU." The FTC has also backed the new framework, and Chairwoman Edith Ramirez stated that the FTC "will continue to prioritize enforcement of the framework as part of our broader commitment to protect consumers' personal information and privacy."
It is estimated that it will take approximately three months to put the new Privacy Shield agreement into effect, though a precise implementation timeline has not yet been established. U.S. officials are working to solidify a transition period for all companies to come into compliance once the final text of the agreement is released, along with expectations for implementing various aspects of the deal.
Considerations for Companies
Exactly what the final text will include has yet to be seen, and some privacy advocates are questioning whether the Privacy Shield will provide adequate protections, even with the newly added rights and obligations. Given the CJEU's decision to invalidate the prior Safe Harbor Framework (and its suggestion that other international data transfer mechanisms also may not be adequate), implementing the new agreement could be complex, and it is unclear the extent to which the Privacy Shield will be able to stand up to potential future attacks in the courtroom.
It is expected that the agreement makes wholesale changes to what was the prior Safe Harbor regime with respect to data protection obligations, complaint response timelines and FTC enforcement. As a result, global corporations that house or transfer personal data of EU citizens or those that use outside vendors to manage this effort will need to closely monitor developments and quickly evaluate their internal operations and contracts. Once the actual text is made available, a comprehensive review and analysis will be needed to evaluate both the new U.S. government roles in this agreement as well as how the EU and DPAs plan to enforce the new agreement.