Two days after the deadline passed for reaching a new data-transfer agreement to replace the U.S.-EU Safe Harbor, the European Commission announced a forthcoming new framework, the Privacy Shield, designed to continue allowing U.S. organizations to transfer personal data out of Europe. The Privacy Shield is intended to impose “stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities” (DPAs).
In the coming weeks, the European Commission has pledged to issue a decision containing the text of the Privacy Shield, which will address the requirements set forth in the Court of Justice of the European Union’s October 2015 decision in Schrems v. Facebook. Until then, here is a basic overview of the high-level principles underpinning the agreement:
- Stronger processing obligations: U.S. organizations that transfer data must commit to adhere to the new processing obligations and publish details regarding their processing. The U.S. Department of Commerce will monitor their publication.
- Compliance: U.S. organizations that engage in the cross-border transfer of EU residents’ human resources data must comply with the decisions of EU DPAs.
- Limited access by U.S. law enforcement agencies: No mass surveillance is permissible under the new scheme. Rather, agencies can only access Europeans’ personal data under “clear conditions, limitations and oversight,” and these exceptional uses must be “necessary and proportionate.” The European Commission and U.S. Department of Commerce will review this access annually.
- Right to redress: European citizens can complain of privacy violations through several avenues, including to the U.S. company that collected their data, to DPAs (who can also refer complaints to the Department of Commerce and Federal Trade Commission), as well as to a dedicated ombudsman in the U.S. Department of State.
The European Commission suggested that it will take two to three months to finalize the arrangements of the Privacy Shield. In the interim, the Article 29 Working Party, the group of data protection officials from each EU member state, has decided to permit businesses to continue transfers via alternative means, such as standard contractual clauses and binding corporate rules, while the details of the Privacy Shield are being worked out. The Working Party plans to meet again in March to review the full text of the Privacy Shield.