- EU adopts new Privacy Shield framework to replace invalid Safe Harbor.
- New framework imposes robust obligations on companies and the U.S. and provides a means for redress by aggrieved persons.
- U.S. companies will be able to register with Privacy Shield beginning August 1, 2016.
In a previous Privacy & Cybersecurity Update, we reported that the European Commission and the United States had agreed on a new mechanism permitting the transfer of EU nationals’ personal information to the United States. Intergovernmental negotiations had led to the announcement in February 2016 of a new framework, called the EU-U.S. Privacy Shield, to govern cross-border flows of personal data and, more importantly, to allow those flows to continue. The Privacy Shield is designed to replace the former EU/U.S. Safe Harbor framework that was invalidated by the European Court of Justice in its October 2015 Schrems decision.
On July 12, 2016, the European Commission adopted the Privacy Shield and on the same day delivered an immediately effective “adequacy decision” establishing that the data transfer safeguards provided under the Privacy Shield are sufficiently equivalent to data protection standards available to European nationals under EU law. U.S. businesses have awaited the adoption of the Privacy Shield to end the period of uncertainty brought on by the Schrems decision.
As described in more detail in our prior Privacy & Cybersecurity Update, the Privacy Shield provides:
- Strong obligations and robust enforcement. The Privacy Shield contains supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. U.S. companies must register to be on the Privacy Shield list and self-certify each year that they meet applicable requirements. The U.S. Department of Commerce will monitor and actively verify that company privacy policies meet Privacy Shield principles, a change from the Department’s role under the Safe Harbor.
- Clear safeguards and transparency obligations on U.S. government access. The U.S. government has given the EU written assurance that any data access by public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. In addition, the United States established an ombudsperson mechanism to handle and resolve complaints raised by EU individuals regarding possible access by national intelligence services.
- Several avenues for redress. Any EU citizen who believes his or her data has been misused may lodge a complaint with the company processing the data, complain to a local data protection authority, make use of alternative dispute resolution mechanisms, consult the ombudsperson regarding complaints relating to possible access by national intelligence services, or, as a last resort, engage in arbitration available through the newly created Privacy Shield Panel.
- Annual joint review. The European Commission and the Department of Commerce will conduct an annual review to monitor the functioning of the Privacy Shield.
Now that it has been adopted, the Privacy Shield will be published in the Federal Register and the Department of Commerce will begin operating the framework. After companies have had an opportunity to review the framework and make any necessary updates to their compliance programs, they will be able to register to be on the Privacy Shield list beginning August 1, 2016.
We will keep you updated as more information or guidance on compliance with the Privacy Shield becomes available.