Recently, the European Commission released a draft of its adequacy finding, including a first look at the text of a new EU-U.S. Privacy Shield framework. The release comes as EU and U.S. officials continue to negotiate a framework to replace the Safe Harbor framework, which the European Court of Justice invalidated in October 2015. While the exact framework is not yet available, fact sheets and statements by EU and U.S. officials have outlined some of its main points and principles. U.S. companies seeking to transfer data from Europe into the United States will need to go through a certification process with the U.S. Department of Commerce. Certification will require that U.S. companies demonstrate compliance with seven privacy principles, including limiting the collection of personal information, responding to individuals’ complaints within 45 days, and providing individuals with notice as to how data will be used and the choice to opt-out of certain types of data usage.
The framework also creates an ombudsman position that will be within the Department of State. The ombudsman will monitor enforcement efforts by U.S. companies and follow up on complaints and inquiries by EU citizens. Finally, to ensure that the new program addresses the concerns raised in the ECJ’s 2015, the European Commission and the U.S. Department of Commerce will conduct an annual joint review of the program’s effectiveness in protecting privacy.
The European Commission must consult EU member states, as well as the EU Data Protection Authorities, before formally adopting a decision that recognizes the proposed privacy shield framework as offering adequate protection for EU citizens’ data that is transferred into the U.S.
TIP: Until the Privacy Shield program is finalized and officially put in place, companies engaging in transfers of data from the EU to the U.S. have the same options we have discussed in the past. Companies considering participation, however, may want to start thinking now about how they will live up to the increased obligations and the greater oversight agreed to by U.S. officials.