EU-U.S. Privacy Shield Adopted, Ending Data Protection UncertaintyJuly 2016
On July 12, 2016, the European Commission ("Commission") adopted the EU-U.S. Privacy Shield agreement (the "Privacy Shield"), which will replace the recently invalidated "Safe Harbor" agreement between the two powers.
The Privacy Shield, which takes effect immediately, places stronger obligations on U.S. companies to protect Europeans' personal data. These obligations address the concerns of the European Court of Justice that led to the invalidation of the Safe Harbor arrangement. Under the Privacy Shield, the United States will be required to monitor compliance with and vigorously enforce the new Privacy Shield rules. In practice, companies in the United States will be required to register to be on the Privacy Shield list and to self-certify annually that they meet the requirements of the Privacy Shield in order to remain in compliance. Companies must also display their privacy policies on their website, reply promptly to citizen complaints, and, if handling human resources data, cooperate and comply with European Data Protection Authorities. Companies in the U.S. that are in compliance with the stringent data protection standards set out by the Privacy Shield will be able to certify with the Department of Commerce beginning August 1, 2016.
The Privacy Shield involves the following components.
- Commercial Sector: The Privacy Shield places obligations on companies and provides for robust enforcement mechanisms requiring greater transparency. Under this new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies to ensure compliance. The Privacy Shield also implements tightened conditions for when companies may transfer an individual's personal data on to third parties. If any companies fail to comply with the Privacy Shield provisions, they could face expulsion from the certification program.
- U.S. Government: The Privacy Shield provides for clear limitations, safeguards, and oversight mechanisms on public authorities with respect to their access to personal data. The United States has assured the EU that the access of public authorities to personal data for law enforcement and national security is subject to these rules, and it has ruled out indiscriminate mass surveillance of personal data transferred from the EU to the United States The Privacy Shield also provides for a new redress mechanism in which an ombudsperson within the U.S. State Department that is independent from national security services will handle and resolve individual complaints.
- Redress Mechanisms: The Privacy Shield includes a requirement that companies reply to complaints from individuals within 45 days. It also provides for free alternative dispute resolution as well as coordination among the European Data Protection Authorities, the U.S. Department of Commerce, and the Federal Trade Commission on the investigation and resolution of unresolved complaints. It also creates the Privacy Shield Panel, a last-resort arbitration mechanism to ensure enforceable decisions.
- Monitoring: To ensure compliance and relevance, the Privacy Shield ratifies an annual joint review mechanism involving the monitoring of the Privacy Shield's effectiveness and protection of information by the Commission and the U.S. Department of Commerce, an annual privacy summit with non-governmental organizations and stakeholders on developments in the area of U.S. privacy law and its impact on Europeans, and a public report by the Commission to the European Parliament and the European Council, based on the annual joint review and other collected information.
Last April, the Article 29 Working Party expressed reservations about, among other things, the proposed Privacy Shield's broad national security exceptions. Some of the subsequent modifications to the Privacy Shield were to address these concerns, shared by many privacy advocates. These most recent modifications include additional clarifications on bulk collection of data, strengthening the ombudsperson mechanism, and more explicit obligations on companies regarding limits on retention and onward transfers.
If you have any questions about data privacy and regulatory compliance, or you need assistance ensuring your compliance with the new Privacy Shield, please contact an attorney in our Cybersecurity & Data Privacy Practice Group. Click here to view our previous alert about the invalidation of the Safe Harbor.