After more than two years of negotiations, on July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield (the “Privacy Shield”) framework as a valid mechanism for transfers of personal data from the EU to the U.S. Touting the Privacy Shield as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” the European Commission released an Adequacy Decision, along with accompanying Annexes, concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.”
The announcement follows a period of uncertainty for the Privacy Shield, which has seen certain aspects of the framework challenged in recent months. First proposed in early February 2016 as a replacement for the invalidated EU-U.S. Safe Harbor framework, the Privacy Shield has since been the subject of concern on the part of European Data Protection Authorities (DPAs) and other regulatory entities who reviewed it. The newly adopted Privacy Shield is meant to address these critiques, specifically by including:
- Stronger obligations for companies handling EU personal data. The new version of the Privacy Shield states that companies may retain European data subjects’ personal data only for as long as the data serves the purpose for which it was collected. Further, companies wishing to share personal data with third parties (e.g., vendors) must obtain assurances that the third party can provide the “same level of protection” for the data. If a third party can no longer ensure the appropriate level of data protection, it must inform the company. The U.S. Department of Commerce will conduct regular updates and reviews of companies participating in the framework to ensure compliance.
- Clear limitations and safeguards with respect to U.S. government access. U.S. authorities have given written assurances that law enforcement and national security access to EU personal data is subject to clear limitations, safeguards, and oversight mechanisms. One such mechanism is the appointment of an independent Ombudsperson within the U.S. State Department, who will address complaints regarding the U.S. government’s use of EU citizens’ personal data. U.S. authorities also have ruled out indiscriminate mass surveillance of personal data transferred under the Privacy Shield framework, and have clarified that bulk collection of data may only be used under specific preconditions and must be as targeted and focused as possible.
- Effective protection of EU data subjects’ rights. The Privacy Shield has a number of redress mechanisms available to data subjects who believe their personal data may have been misused by U.S. organizations. The framework provides for complimentary Alternative Dispute Resolution or voluntary submission to the oversight of EU DPAs. A data subject also may file a complaint with his or her DPA, which will then refer the complaint to the U.S. Department of Commerce and the Federal Trade Commission (FTC). Arbitration is available as a last resort for individuals alleging misuse of personal data by companies. The U.S. Ombudsperson will handle national security-related privacy complaints.
- An annual joint review mechanism. The European Commission, the U.S. Department of Commerce, associated U.S. national intelligence experts and EU DPAs will conduct an annual review of the Privacy Shield. The annual review will evaluate the functioning of the framework, including the commitments and assurances regarding access to data for law enforcement and national security purposes.
What comes next?
The Privacy Shield immediately became effective in the EU on July 12, 2016. In the U.S., the adopted Privacy Shield text will be published in the Federal Register and the U.S. Department of Commerce will begin implementing the framework. Starting August 1, 2016, companies will be able to self-certify as members of the Privacy Shield on the commerce.gov website.
While the Privacy Shield is being hailed as a step forward for individuals and companies alike, not all are satisfied. German Green MEP Philipp Albrecht said the European Commission has “signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights.” Max Schrems, the Austrian student who brought the legal challenge that ultimately resulted in the invalidation of the Safe Harbor framework, also criticized the Privacy Shield, stating, “This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution.” Many believe that litigation on the adequacy of the framework may soon follow.
Perhaps responding to such critiques, European Commissioner for Justice, Consumers and Gender Equality Věra Jourová said, “I urge you not to simply dismiss this mechanism before it has even been put to the test.”
We will be providing additional analysis and practical information about the Privacy Shield in the coming weeks.
For more information, read:
- The European Commission’s Privacy Shield Fact Sheet, FAQs and Press Release.
- The U.S. Secretary of Commerce’s remarks on the Privacy Shield.
- The U.S. Department of Commerce’s FAQs, Fact Sheet and Guide for companies wishing to self-certify under the Privacy Shield framework.
- Background information on the development of the Privacy Shield framework and the fall of its predecessor.