On February 29, 2016, the European Commission released the text of the EU-U.S. Privacy Shield. The text reveals the details of a new framework that will place stronger obligations on U.S. companies to protect the personal data of EU citizens. It will also involve heightened compliance requirements and authorizes enforcement measures by the U.S. Department of Commerce (Commerce) and the Federal Trade Commission (FTC). The Privacy Shield replaces the previous Safe Harbor regime, which was invalidated by the Court of Justice of the European Union (CJEU) in October 2015. The Privacy Shield reflects the requirements mandated by the CJEU, as well as prior recommendations made by the European Commission.
Under the new framework, if a company wishes to transfer data from the EU, it must annually self-certify its compliance with the framework’s seven core principles: notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement and liability. A list of all Privacy Shield members that have self-certified will be maintained by the United States, and Commerce will be responsible for ensuring that companies continue to apply the Privacy Shield’s principles to protect personal data for as long as that data is retained.
Key Changes from Safe Harbor
As a replacement for the Safe Harbor, the terms of the Privacy Shield represent a response to a variety of recent developments and concerns. For example, in the commercial arena, the Privacy Shield implements a system of more robust obligations to protect the personal data of EU citizens. It also establishes enforcement procedures involving monitoring, oversight and required conditions for transferring data to a company’s partners.
A significant change from the Safe Harbor is a new mechanism that will allow EU citizens to raise any complaints they may have with a U.S. company and obligates the company to reply to a complaint within 45 days. EU citizens will also have access to free alternative dispute resolution, and the Privacy Shield requires the creation of an independent ombudsperson within the Department of State to handle national security complaints.
The Privacy Shield is supported by written assurances from U.S. government officials, including Secretary of State John Kerry, FTC Chairwoman Edith Ramirez, Secretary of Transportation Anthony Foxx, and Robert Litt, the General Counsel of the Office of the Director of National Intelligence. These assurances confirm the U.S.’s commitment to maintain transparency and enforce safeguards that will prevent unfettered access by intelligence and law enforcement officials to data transferred from the EU.
Although the release of the full text provides the details on the basic terms of the Privacy Shield, numerous questions remain with respect to implementation and enforcement. Moreover, EU member states and data protection authorities will now have an opportunity to review the proposed plan before it receives final EU approval. A court challenge by those who do not think the framework goes far enough to protect EU citizens, similar to the challenge to the Safe Harbor, is also anticipated. U.S. companies operating internationally now need to consider how to participate in and comply with the Privacy Shield. Sutherland will continue to follow developments and provide updates as the Privacy Shield mechanism is revised and implemented.
View a fact sheet summarizing the key elements of the EU-U.S. Privacy Shield.