On Monday, the European Commission issued a draft of the newly minted EU-U.S. Privacy Shield Agreement. The new agreement replaces the Safe Harbor provisions that regulates the transfer of personal data of European individuals between U.S. companies and countries in the European Union (“EU”). After two years of coordinated effort between the U.S. and the European Commission, a deal was reached last month outlining the framework for the new agreement.
Included in the Monday communication was a draft “adequacy decision” as well as texts that will constitute the EU-U.S. Privacy Shield. This includes the Privacy Shield Principles companies must abide by and makes public the U.S. Government’s written commitments regarding enforcement of the agreement. The written commitments will be published in the U.S. Federal Register and include assurance on the safeguards and limitation concerning public authorities’ access to data. The United States has given written commitments and assurance by the State Secretary John Kerry, Commerce Secretary Penny Pritzker, the Federal Trade Commission and the Office of the Director of National Intelligence, amongst others. Click here to view the draft adequacy decision.
What is an “adequacy decision?” An “adequacy decision” is a decision adopted by the European Commission, which establishes that the U.S. ensures an adequate level of protection of personal data by reason of its domestic law and international commitments. The effect of such a decision is that personal data can flow from the 28 EU Member States (and the three European Economic Area member countries: Norway, Liechtenstein and Iceland) to the U.S., without any further restrictions.
What has changed? The new regulation makes it clear that any company offering goods and services, or in the case of social media platforms like Facebook, who monitor the behavior of individuals, will be required to comply with the same privacy rules as companies based in the EU.
A key element of the adequacy decision is the stronger enforcement of data protection rules. In the EU, national data protection supervisory authorities (“DPAs”) will be empowered to impose fines reaching up to EUR 20 million or 4% of the total worldwide annual turnover of a company. The power to impose hefty sanctions for non-compliance ensures that companies doing business in the EU will have every incentive to comply with EU law. The new rules also introduce a clearer and stricter liability for controllers and processors.
The new arrangement includes commitments and assurance by the US that any access of public authorities to personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access. The newly created Ombudsperson mechanism will handle and solve complaints or inquiries raised by EU individuals in relation to possible access by national intelligence services. On February 24, President Obama signed the Judicial Redress Act. Once in force, it will give EU citizens access to U.S. courts to enforce privacy rights in relation to personal data transferred to the U.S. for law enforcement purposes. The Judicial Redress Act will extend the rights US citizens and residents enjoy under the 1974 Privacy Act to EU citizens.
Next steps. A committee composed of EU member states will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision is reached. In the meantime, the U.S. will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.
Following the adoption of the Judicial Redress Act by the U.S. Congress, signed into law by President Obama, the Commission will shortly propose the signature of the Umbrella Agreement. The decision concluding the Agreement should be adopted by the Council after obtaining the consent of the European Parliament.
What does this mean for data handling practice? It is too soon to prescribe specific changes in practice. Once there is greater visibility into the intentions of EU regulators, we will follow up with our thoughts. However, for now, companies should evaluate their disclosures as to data collection and use to determine whether they are sufficiently clear and evident to consumers. In this regard, consideration should be given to whether a formal opt-in mechanism is called for. In a very recent WSJ article, a German trade regulator commented, “It needs to be clarified whether consumers are being sufficiently informed about the nature and scale of data collection.”
The international law, compliance, privacy, and data protection attorneys at FisherBroyles will continue to follow the progress of this matter and are available to work through the compliance needs and alternatives to Safe Harbor data transfers to those in need of advice and assistance. Please contact any of the following attorneys for further information. Please contact any of the following attorneys for further information.