The U.S. Department of Commerce and European Commission have released details on the EU-U.S. Privacy Shield framework. The agreement seeks to ensure that Europeans have data-protection rights when U.S. companies import their personal data.

Background

The Privacy Shield is the result of concerns, particularly those of EU authorities, regarding the U.S. government’s access to data. In general, the EU has much more restrictive policies related to personal and private data, and there has been concern as to how the U.S. would approach data. The Privacy Shield is part of a larger effort over the past few years to restore trust in transatlantic data flows since the 2013 surveillance revelations brought on by Edward Snowden.

What the Privacy Shield requires

In more specific terms, the Privacy Shield amounts to an agreement established between the U.S. and the EU that: a) finalizes the reform of EU data protection rules, which apply to all companies providing services in the EU market; b) codifies an EU-U.S. “Umbrella Agreement,” ensuring high data protection standards for data transfers across the Atlantic for law enforcement purposes; and c) achieves a renewed sound framework for commercial data exchange.

A critical part of the agreement is the pledge by U.S. officials to European officials that law enforcement and national security access to personal data will not be unfettered, but, rather, there will be appropriate restrictive measures and oversight in place to make certain that such access is measured and proportional to the needs required. There also will be an annual joint review of the arrangement, including the national security access issue.

Stated simply, the Privacy Shield will provide:

  • Strong obligations on companies and robust enforcement
  • Clear safeguards and transparency obligations on U.S. government access
  • Effective protection of EU citizens’ rights with several redress possibilities
  • An annual joint review mechanism to monitor the effectiveness of the Privacy Shield

What the Privacy Shield means for businesses in the U.S.

In general, the Privacy Shield provides a mechanism to review companies that take part in moving data into the United States. These companies will be subject to review to ensure compliance with the standards laid out in the agreement.

Both the U.S. and EU are taking the necessary steps to put the Privacy Shield framework in place. Stateside, the Department of Commerce and Federal Trade Commission will be the main enforcers of the Privacy Shield framework.

Companies interested in learning more about their responsibilities under the Privacy Shield deal can do so here.