On February 2, 2016, it was announced that the United States and the European Union had reached an agreement on a new framework to replace the Safe Harbor that was invalidated back in October. The new framework, called the "Privacy Shield," places stronger obligations on U.S. companies to protect the personal data of Europeans and requires stronger monitoring and enforcement by the U.S. Department of Commerce and the FTC.
Although the actual text of the Privacy Shield has not been released, the key elements were addressed in Tuesday's announcement:
-
The framework will require U.S. companies importing personal data from Europe to commit to "robust obligations" on how that personal data is processed. The companies must publish their commitments, which will make them enforceable under U.S. law by the FTC.
-
Any U.S. company handling human resources information from European employees must commit to comply with decisions of the European Data Protection Authorities.
-
The U.S. government has assured the EU that "the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms." Exceptions must be used only to the extent necessary. Additionally, the U.S. has agreed to eliminate indiscriminate mass surveillance on personal data transferred under the Privacy Shield.
-
The European Commission and the U.S. Department of Commerce will conduct an annual joint review to monitor the Privacy Shield, including national security access.
-
Any European citizen who alleges that their data has been misused under the Privacy Shield will have several avenues of redress. Companies will have set deadlines to respond to complaints, European DPAs can refer complaints to the Department of Commerce and the FTC, and Alternative Dispute Resolution will be free. A new Ombudsperson will handle complaints on possible access by national intelligence authorities.
In the next few weeks, a draft "adequacy decision" will be prepared and considered for adoption by the College of Commissioners. In the meantime, the United States will prepare for putting the new framework in place.
Although early, the reaction to the Privacy Shield has been mixed. Businesses relying on data transfers from the EU to the US are certainly relieved to have a new framework in place. On the other hand, many are concerned that the framework suffers from the same flaws that doomed the Safe Harbor, including whether U.S. intelligence agencies have too much access to personal data from the EU. Only time will tell whether the Privacy Shield will be able to deflect challenges.
