The European Commission released on Monday the text of the EU-U.S. Privacy Shield, a new framework for transatlantic personal data flows.  The EU-U.S. Privacy Shield would replace the recently-invalidated Safe Harbor Framework.  

The Privacy Shield principles include Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.  These principles retain much of Safe Harbor’s structure and requirements, but they imposes additional obligations in several respects, including: 

  • More specific disclosure requirements under the Notice Principle.
  • More direct contractual requirements for transfers to third parties under the Accountability for Onward Transfer Principle.
  • Expanded individual rights to access, correct, modify or delete personal information under the Access Principle.
  • New redress mechanisms – including complaints to participating organizations and U.S. or EU authorities and a binding arbitration procedure – under the Redress, Enforcement and Liability Principle.
  • New enforcement mechanisms – including increased Department of Commerce enforcement and increased oversight from the EU Data Protection Authorities – under the Redress, Enforcement and Liability Principle.
  • Increased liability for third-party agents’ violation of the Privacy Shield principles.

In addition, the Privacy Shield principles will continue to apply to personal information that organizations receive under the Privacy Shield, even if the organization does not continue participating in the Privacy Shield framework. Privacy Shield will not come into force until the relevant authorities in the EU determine that the Privacy Shield provides “adequate” protection under the EU Data Protection Directive.  This process involves several layers of approval, and the process is expected to take at least two more months.

Jenner & Block’s analysis on the Privacy Shield is available here.