On February 29, 2016, the European Commission (“EC”) and the U.S. Department of Commerce (“Commerce”) released the long-awaited text of the European Union (“EU”) – United States (“U.S.”) Privacy Shield, an agreement-in-principle that, if approved by European authorities, would replace the Safe Harbor Framework as a potential basis for transatlantic transfers of personal data. The Safe Harbor Framework was invalidated by the European Court of Justice in October 2015, when the Court found the agreement failed to provide adequate protection for EU citizens’ privacy rights.
The new agreement is presented as a 128-page “package,” including the EU-U.S. Privacy Shield Framework Principles, an annex on the arbitral model, and numerous letters from U.S. officials. It notably ups companies’ obligations and, although mimicking the self-regulatory structure of the Safe Harbor, it adds sharp enforcement teeth. Under the Privacy Shield, for example, companies will be required to resolve consumer complaints within 45 days and European data protection authorities (“DPA”) can work with the U.S. Federal Trade Commission (“FTC”) to ensure compliance. The enforcement staff at Commerce will be substantially increased, as well as the penalties for companies found to be out of compliance.
Please see full publication below for more information.