Officials in the United States and the European Commission have released the draft text of the European Union-United States Privacy Shield, offering 132 pages of details about the new deal on the transatlantic transfer of data.
In February, the officials announced they had reached an agreement but had few specifics in place. The Framework now provides insight into what companies will be facing under the new rules.
Familiar from the prior EU-U.S. Safe Harbor are the seven principles espoused by the EU with regard to consumer privacy: notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement, and liability. Companies will commit to comply with these principles in order to self-certify.
While the principles remain the same, the new deal "provides stronger obligations on companies in the U.S. to protect the personal data of Europeans," according to a Fact Sheet released by the Commission, highlighting four main areas of change.
First, the Shield imposes strong obligations on companies and provides for robust enforcement, with supervision mechanisms to ensure that companies respect their obligations and face sanctions or exclusion for failure to comply. The new rules also tighten conditions for onward transfers to other partners.
The new deal establishes "clear safeguards and transparency obligations" on U.S. government access to data. The United States government—for the first time—provided written assurance that any access of public authorities for national security purposes will be subject to clear limitations and oversight mechanisms, with the creation of an Ombudsperson, tasked with following up on complaints and enquiries.
Redress options are a big part of the Shield, with multiple possibilities for EU citizens concerned about their data. In addition to the Ombudsperson, Congress enacted the Judicial Redress Act into law, which permits non-U.S. citizens to bring suit in the country if their personal data is misused. The legislation had been a sticking point during negotiations and President Barack Obama's signature on the bill led Commissioner Vera Jourova to declare it "a historic achievement in our efforts to restore trust in transatlantic data flows."
The Framework also set forth an Arbitral Model that establishes a means for redress described by the authorities as "a prompt, independent, and fair mechanism, at the option of individuals, for resolutions of claimed violations of the Principles not resolved by any of the other Privacy Shield mechanisms, if any." Complaints must be resolved by companies within 45 days.
Finally, an annual joint review mechanism is in place to monitor the functioning of the Privacy Shield. Each year, the Commission and U.S. Department of Commerce will conduct an annual privacy review of the prior year to ensure that the commitments and assurances are holding up.
Companies should also brace themselves for heightened enforcement, as Federal Trade Commission Chairwoman Edith Ramirez released a statement in conjunction with the draft text vowing that the agency "will play a significant role in enforcing commercial privacy promises under the framework," and make enforcement of the new Shield "a high priority."
While the Shield continues to move forward in the approval process, an open question remains: will it withstand judicial scrutiny in the EU? The Shield came about because the previous iteration of the transatlantic data deal, the EU-U.S. Safe Harbor, was thrown out last year by the EU's highest court.
Critics have argued the Shield offers mere cosmetic changes from the Safe Harbor and will likely be struck down by the court for the same reasons. Max Schrems, whose lawsuit led to the invalidation of the Safe Harbor, criticized the new deal for failing "to address the core concerns and fundamental flaws of U.S. intelligence laws and the lack of privacy protections in U.S. law."
To read the EU-U.S. Privacy Shield Framework, click here.
To read the Commission's Fact Sheet, click here.
Why it matters: For now, work to finalize the details of the Privacy Shield continues. While the U.S. works on getting the Ombudsperson position in place and formalizing enforcement of the new deal, the Commission is expected to issue an adequacy decision in early summer, signaling its final approval of the Shield. The Article 29 Working Party, the EU body representing the data protection authorities of each member country, announced an extension of the moratorium on enforcement actions on transatlantic data transfers until the group has reviewed the Privacy Shield Framework. In the meantime, businesses should familiarize themselves with the coming changes.