Update: The US Commerce Department has released a “fact sheet” on the new Privacy Shield agreement.
The European Commission has issued a press release that gives an outline of some key changes to the EU-US safe harbor, now dubbed the “Privacy Shield.” The new accord still needs to be reviewed by the Article 29 Working Party and the College of Commissioners, but assuming it remains substantially the same, we can expect the following:
- More stringent obligations on companies handling Europeans’ personal data and more robust enforcement. The details of the new obligations have not yet been announced. The Department of Commerce has committed to monitoring companies for compliance. Again, we don’t know the precise nature of that monitoring. Companies handling HR data from the EU will need to commit to complying with decisions by European DPAs, but since controller-to-controller transfers of HR data are usually within the same corporate group, that shouldn’t be an extra burden.
- Clear safeguards and transparency obligations on U.S. government access. The US has apparently succeeded in showing that, contrary to the facts assumed in the Schrems decision, the US does not engage in indiscriminate mass surveillance. The US has agreed to an annual joint review with the EU, including with respect to national security access to personal data.
- Improved redress options for EU citizens: It appears that the existing redress rights are still in place. In addition, any EU citizen who has a complaint about possible access by EU national intelligence authorities will be able to complain to a new US ombudsperson within the DoJ.
- The Commission will review the adequacy of the US commitments and performance annually, essentially revisiting the Privacy Shield adequacy determination. That means that Privacy Shield should only be viewed as a year-to-year rolling program that could be brought to a swift end if the EU so chooses.
Hopefully the Commission and FTC will make the entire agreement publicly available soon. When it is published, US companies should review the new Privacy Shield program carefully before deciding to commit to it. For companies that have already invested substantial time and effort in putting model clauses in place, it may not offer any advantages. Recall that most of the EU’s major trade partners don’t have a special agreement with the EU, and presumably rely on the most part on the model clauses, BCRs and consent. While the model clauses and BCRs are under review by the Article 29 Working Party, the Commission’s new findings concerning the non-existence of indiscriminate mass surveillance by the US will make it harder to attack the model clauses and BCRs.