The European Commission has published its draft adequacy decision on the EU-U.S. Privacy Shield, the proposed data transfer framework that would replace the defunct Safe Harbor program. The draft adequacy decision formally supports the view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in the new program.

The draft decision also provides full details of the Privacy Shield framework for the first time.

The earliest the Privacy Shield is likely to be available is June, but if your company relies on transatlantic data-sharing, as many pharmaceutical and medical device companies do, it’s worth reviewing the details of the framework now to determine whether it might make sense for your business.

Some key aspects of the Privacy Shield include the following:

  • As with Safe Harbor, the Privacy Shield will not be available to companies in specific sectors which are outside the jurisdiction of the U.S. Federal Trade Commission or Department of Transportation. This means that companies in the financial services and insurance sectors will not be eligible to join.
  • EU citizens will have several options for pursuing claims regarding alleged misuse of their data, including (a) directly with the allegedly offending company, (b) through alternative dispute resolution provided by an independent third party, (c) with the EU Data Protection Authority (which will then work with the Department of Commerce and Federal Trade Commission), and (d) with the Privacy Shield Panel, which operates as a last resort and provides a binding decision via an arbitration mechanism. Privacy Shield certified businesses will have to put in place an effective redress mechanism, including responding substantively within 45 days to complaints received from EU individuals about the treatment of their personal data. Failure to respond to complaints will result in the individuals having recourse to alternative redress mechanisms.
  • Privacy Shield members must provide individuals with notice of the organization’s participation in Privacy Shield, the type of data affected and the purposes for which it will be used. Individuals must be informed of any third parties to whom their data will be transferred and must also be provided with “clear, conspicuous, and readily available mechanisms” for opting out of these disclosures to third parties or for preventing use of their personal data for a new purpose.
  • Tightened rules will apply around onward transfers of data by a Privacy Shield member to third parties, whether a data controller or a data processor. If compliance problems arise in this sub-processing chain, the Privacy Shield organization acting as data controller of the data will face liability unless it can prove that it was not responsible for the event causing the damage.

For more details on what will be different under the Privacy Shield, what will be largely the same as it was under Safe Harbor, and what kind of companies may be best positioned to transition to the Privacy Shield, read our recent client alert, “Now That Details of the EU-U.S. Privacy Shield Have Been Revealed, Should Your Company Get Ready to Embrace It or Avoid It?”