Last week, the European Commission unveiled the latest documentation related to the EU-U.S. Privacy Shield intended to restore trust in transatlantic data transfer and establish a mechanism for U.S. companies to once again transfer data from the EU with confidence. We wrote last month about the initial announcement of the Privacy Shield but expressed caution about whether the European Union and the United States would be able to iron out the details of the complicated agreement before the February 29, 2016 deadline set by the Article 29 Working Party (“WP29”). But it appears that the two sides were able to make significant progress in the month of February, and the European Commission released more than 120 pages of documentation setting forth the new Privacy Shield requirements.
There are many details in the documentation released last week, but following are the key points:
- Participating organizations will be required to follow rules related to consent, relevance, proportionality, access and correction.
- Arbitration will be available for disputes.
- Participating organizations will be required to provide additional information to data subjects at the point of consent.
- Participating organizations must implement stronger controls on data transfers to third-party data processors and controllers.
- Participating organizations must commit to address EU member complaints “expeditiously” through the FTC.
- The FTC will verify self-certification.
It remains to be seen whether this will be enough to satisfy key stakeholders in the EU. WP39 has announced that it will provide its opinion on the level of protection afforded by the Privacy Shield on April 13, 2016.