Privacy Shield: The New Transatlantic Agreement and How it May Impact Your Company
Last Tuesday, February 2, 2016, the European Commission announced that it approved the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement with the U.S. Department of Commerce establishing a new framework for transatlantic data flows. Although the full text and details of Privacy Shield have not been released, the new framework is expected to replace the now defunct Safe Harbor, providing 4,400 Safe Harbor-certified companies with greater certainty about data transfers from Europe to the US.
Here's what you need to know:
Elements of Privacy Shield
European Commission Vice-President Ansip and Commissioner Jourová are charged with preparing a draft “adequacy decision” that will include at least the following three elements:
- Robust enforcement and strong obligations on companies handling Europeans' personal data: U.S. companies will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor whether companies publish their commitments and the US. Federal Trade Commission will manage enforcement. Any company handling human resources data from Europe will have to commit to comply with decisions by European Data Protection Authorities (DPAs).
- Clear safeguards and transparency obligations on U.S. government access: The U.S. has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.
- Effective protection of EU citizens' rights with several redress possibilities: Citizens who believe that their data has been misused will have several redress possibilities under the new arrangement. Companies will have deadlines to reply to complaints and European DPAs will be able to refer complaints to the Department of Commerce and the Federal Trade Commission. Alternative Dispute resolution will be free of charge. A new and independent Ombudsperson will manage citizen complaints regarding possible access by national intelligence authorities.
No. Although the announcement of a renewed commitment between the U.S. and EU is promising, Privacy Shield has several procedural hurdles to overcome before adoption and, even then, may still be challenged in European courts. The post-Schrems decision regulatory framework for transatlantic data transfer remains unchanged and uncertain. Put simply:
- Safe Harbor is invalid and any data transfers that rely on this mechanism violate EU law
- Binding corporate rules, standard contractual clauses, and ad hoc contracts or intra-group data transfer agreements continue to be valid mechanisms for transatlantic data transfers
For our part, we will continue to monitor developments as they unfold and will provide a more detailed analysis of the Privacy Shield agreement once it has been released to the public.