Key Notes:

  • EU publishes legal texts governing new framework to replace invalid Safe Harbor.
  • Texts detail U.S. and companies’ obligations and means for redress available to aggrieved persons.
  • Effective date not yet determined.

As we discussed in a prior Privacy & Cybersecurity Update, the European Commission announced in early February that it and the United States had agreed on a new framework, the EU-U.S. Privacy Shield, to govern cross-border flows of personal data and to replace the Safe Harbor framework that was invalidated in the European Court of Justice’s October 2015 Schrems decision.

On February 29, 2016, the European Commission published drafts of the legal texts intended to implement the new Privacy Shield mechanism. The texts include the Privacy Shield principles companies will be required to uphold, as well as the U.S. government’s commitments to enforcing the framework. In addition, the Commission made public a draft “adequacy decision” that, once adopted, will establish that the safeguards provided when data is transferred under the Privacy Shield are equivalent to data protection standards in the EU, a precondition for allowing transfers of data to the United States.

The published texts clarify that under the Privacy Shield, there will be:

  • Strong obligations and robust enforcement. The Privacy Shield will contain supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. U.S. companies must register to be on the Privacy Shield List and self-certify each year that they meet applicable requirements. Companies may also agree to comply with advice from European data protection authorities (DPAs), a commitment that will be mandatory for companies handling human resource data. The U.S. Department of Commerce will monitor and actively verify that companies’ privacy policies meet Privacy Shield principles.
  • Clear safeguards and transparency obligations on U.S. government access. The U.S. government has given the EU written assurance that any access by public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, and that data will not be subject to indiscriminate or mass surveillance. In addition, the United States committed to establishing an ombudsperson mechanism to handle and resolve complaints raised by EU citizens in relation to possible access by national intelligence services. These written commitments will be published in the U.S.Federal Register and available to the public.
  • Several avenues for redress. Any EU citizen who believes that his or her data has been misused by a company subject to the Privacy Shield may:
    • Lodge a complaint again the company itself. Companies must resolve complaints within 45 days.
    • Complain to the DPA for his or her country of residence. The DPA will refer the complaint to the U.S. Department of Commerce, which will respond within 90 days. If the Department of Commerce is unable to resolve the matter, the Federal Trade Commission will address it.
    • Make use of alternative dispute resolution services, which will be provided free of charge. Companies certified under the Privacy Shield must provide this service and disclose the name of their chosen dispute resolution provider.
    • Take the complaint to the newly established ombudsperson if it relates to possible access by national intelligence services. The ombudsperson, who is independent from U.S. intelligence services, will inform the complainant whether the matter has been properly investigated and that U.S. law has not been violated or that any violation has been corrected.
    • Make use of arbitration available through the newly created Privacy Shield Panel if none of the above methods resolves the matter. The Privacy Shield Panel is a dispute resolution mechanism that can issue binding decisions on U.S. self-certified companies.
  • Annual joint review. The European Commission and the U.S. Department of Commerce, assisted by national intelligence experts from U.S. and European data protection authorities, will review the Privacy Shield’s performance annually . The Commission will draw on all available sources of information, including companies’ transparency reports on the extent of government access requests. The Commission will also hold an annual privacy summit with interested NGOs and stakeholders to discuss broader developments in the area of U.S. privacy laws and their impact on Europeans. Following the annual review, the Commission will issue a public report on its findings to the European Parliament and the European Council.

The European Commission has not yet provided a target effective date for the Privacy Shield. The United States must first create the required infrastructure to meet its new obligations under the framework, and the EU must take additional legislative steps before the Privacy Shield can be enacted. We will keep you updated as more information becomes available, including the Privacy Shield’s effective date.