The U.S. and EU are one step closer to implementing the new EU-U.S. Privacy Shield.  The European Commission and U.S. Department of Commerce yesterday announced the release of the legal texts that will put in place the EU-U.S. Privacy Shield, a new framework of rules governing transatlantic data flow. 

The Privacy Shield replaces an earlier Safe Harbor mechanism, struck down by the European Court of Justice last October, saying that it did not adequately protect their citizens’ privacy rights.  Nearly 5,000 U.S. companies relied on the 15 year-old Safe Harbor mechanism to collect and transfer data of EU individuals into the U.S.  Since the invalidation of the Safe Harbor, U.S. companies have been eagerly awaiting word of a new legal framework to govern transatlantic data transfers and to ease concerns that companies may face enforcement actions by individual EU countries.

This announcement is another sign that the Obama Administration is serious about allaying European concerns about data privacy in the U.S.  Last week, the U.S. adopted into law the Judicial Redress Act, which grants EU citizens the right to enforce data protection rights in U.S. courts.

The Privacy Shield, which includes Privacy Shield Principles, is designed to offer EU individuals stronger privacy monitoring and enforcement, easier redress for concerns and includes written commitments by the U.S. government on the enforcement of the arrangement.

Yesterday, in addition to the release of the legal texts, the European Commission also made public a draft “adequacy decision” establishing that the Privacy Shield safeguards are equivalent to data protection standards in the EU.

Some of the key components of the Privacy Shield include:

  • Strict and transparent supervision on U.S. companies to safeguard personal data of European customers and business partners. The Privacy Shield calls for sanctions for companies that fail to protect this data or exclusions if they do not comply.
  • Strengthening protection of personal data that is transferred from a Privacy Shield organization to a third party controller or agent by requiring, among other things, that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual.
  • Clear restrictions on U.S. government access to Europeans’ private information. This aspect of the Privacy Shield will be overseen by an Ombudsperson office operating independently of U.S. national security agencies.
  • Dispute resolution mechanisms for Europeans who have a privacy complaint involving a U.S. business. These mechanisms include binding arbitration. Businesses will have 45 days to respond to complaints by EU consumers before the dispute resolution process begins.
  • An annual joint review by the European Commission and U.S. Department of Commerce to ensure the Privacy Shield is working as it should.

The EU-U.S. Privacy Shield isn’t finalized yet, as both sides still must finalize certain components. But today’s announcement gives a working understanding of how the Privacy Shield will work, as well as indicating the seriousness of both parties in addressing this critical business concern and restoring transatlantic trust.

To learn more about the announcement of the Privacy Shield and the invalidation of the Safe Harbor, please see our earlier Client Alerts: US Safe Harbor Not Safe from EU Court Ruling (October 2015), US and EU Reach a Deal to Save Safe Harbor (February 2016) and Rebuilding Trust with the Europeans After Snowden: Obama Signs New Privacy Law (February 2016).