On Leap Day, the European Commission published a series of documents that, if approved, will form the EU-U.S. Privacy Shield, replacing the Safe Harbor framework that was invalidated in October. The documents include a press release, a fact sheet, a draft adequacy decision finding that the Privacy Shield offers equivalent protection for data transfers to the EU Data Protection Directive 95/46, and seven annexes that set forth procedures for compliance with the adequacy decision.
The fact sheet explains that the Privacy Shield strengthens the protections of the former Safe Harbor, with greater transparency and more supervision from the U.S. Department of Commerce to enforce compliance. For the first time, the U.S. government has provided written assurance to the EU that any access to collected data by public authorities will be subject to clear limitations, safeguards, and oversight. The Privacy Shield also provides redress to EU residents for violations through corporate mechanisms (which must resolve disputes within 45 days), free alternative dispute resolution methods, their national data protection authority, and, as a last resort, arbitration. An independent ombudsman set up through the U.S. Department of State will handle all concerns relating to national security.
As with the Safe Harbor, the Privacy Shield requires U.S. organizations to register to join the Privacy Shield List and to self-certify annually with the Department of Commerce that they meet seven core principles:
- Notice: Data processors must give notice to data subjects regarding the processing of personal data.
- Choice: Data subjects must have the right to opt out if their personal data will be shared with a third party or used for a purpose other than that specified when it was collected.
- Security: Data processors must implement measures that are “reasonable and appropriate” to protect data.
- Data integrity and purpose limitation: Data processors must process personal data consistently with the purpose for collection. Data collected must be reliable, accurate, complete, and current.
- Access: Data subjects have the right to confirm how data processors are using their data and be able to amend or delete inaccurate or improperly processed personal data.
- Accountability for onward transfers: Data controllers and processors can only transfer data in limited circumstances, on the basis of a contract or intragroup arrangement, and only if the contract meets the protections guaranteed by the privacy principles.
- Recourse, enforcement, and liability: U.S. organizations must have “robust mechanisms” in place to ensure compliance with the privacy principles and provide redress and remedies to EU data subjects where data is not processed in a compliant way. To confirm compliance, organizations must undergo a self-assessment, which should include employee training on privacy policies, or outside reviews.
These principles are fleshed out in supplemental principles that detail additional compliance requirements.
The next steps for the Privacy Shield include an evaluation by a committee of representatives from the EU member states and the Article 29 Working Party, composed of representatives from the EU data protection authorities, before a final review by the College of EU Commissioners. The U.S. government also must prepare to implement the new framework and its mechanisms.
It is not clear whether the principles will meet the expectations of the EU’s data protection authorities, and in the meantime, no one can predict specifically what will happen. It will be interesting to see how things progress from here.