The European Commission has finally issued a formal decision approving the U.S.-EU Privacy Shield, a revamped framework for transatlantic data transfers. The Privacy Shield will serve as the successor to the U.S.-EU Safe Harbor, which the European Union’s highest court invalidated last year over concerns that American laws fail to protect the privacy of European citizens. (For greater detail, see our article here.)
U.S. and EU officials developed the Privacy Shield in early February, but in April a group of EU data privacy regulators known as the Article 29 Working Group expressed dissatisfaction with the protections offered under the proposed framework, particularly with regard to surveillance activities conducted by the U.S. government. The U.S. Department of Commerce and the European Commission made further revisions in order to address the Article 29 Working Group’s concerns, with the U.S. providing stronger assurances concerning limits on surveillance and the transfer to third parties of data belonging to EU citizens. More specifically, the U.S. Department of Commerce has developed a set of principles that American companies must follow when collecting, storing, and transferring data. The revised framework will also require U.S. companies that handle transatlantic data transfers to ensure the downstream protection of data; that is, if they share data with any third-party processors, for example, they need to verify that the processor also adheres to Privacy Shield Principles.
The Privacy Shield also provides for an ombudsperson to handle complaints from EU citizens about data privacy violations by U.S. intelligence agencies, and recent revisions reportedly clarified the independence of the ombudsperson from U.S. security agencies. The Department of Commerce is expected to take an active role in monitoring company certifications, maintaining a list of all certified companies, and verifying that companies adhere to the Principles and accurately represent their certification status. European citizens who believe that their data privacy has been compromised by American companies can seek redress directly from the companies, through alternative dispute resolution channels, or by lodging a complaint with the data protection authority in their home nation. Those complaints may be referred to the FTC for prompt evaluation and enforcement.
The self-certification gates open on August 1, and companies planning to rely on the Privacy Shield should already be familiarizing themselves with self-certification requirements. In the coming week we will be providing more details on the key requirements for U.S. companies signing up to the Privacy Shield and can assist them with the navigation of the process.