The proposed Privacy Shield agreement between the US and EU seeks to streamline EU data protection compliance for commercial exchanges requiring the transfer of personal data from the EU to the US. If approved, it would replace the Safe Harbor agreement which was deemed inadequate in assuring the protection of personal data by the European Court of Justice.
Privacy Shield seeks to satisfy the concerns opined by the European Court of Justice by requiring stronger obligations and enforcement mechanisms on companies and US government agencies including: affirmations and assurances about proper personal data use; restrictions on onward transfer; oversight mechanisms; an abolition of mass surveillance and indiscriminate collection; and sanctions for companies including the ability to exclude non-compliant companies. In addition, EU citizens will be able to file complaints against companies and US government agencies with third parties like arbitration panels and an ombudsman which will be available for escalated complaints. Further, companies will be required to answer complaints within 45 days, provide free dispute resolution, and work with data protection agencies in resolving complaints and agency concerns. The final item that is worth mentioning is that there will be joint monitoring by EU and US agencies including a privacy summit and public reporting.
Practically, for US companies, this will mean similar compliance self-certification as previously mandated under Safe Harbor, but in addition, Privacy Shield now adds an enforcement mechanism requiring that they work with EU citizens and privacy agencies to resolve complaints and provide sanctions for non-compliance.
Initially scheduled to come into effect at the end of June, the US has fast-tracked several laws and agreements to implement the Privacy Shield changes including the Judicial Redress Act, which gives EU citizens the right to enforce data protection rights in US courts, and the Umbrella Act which seeks to implement and enforce data protection rules. Despite these initial aggressive efforts, several obstacles and criticisms have prevented approval of Privacy Shield by the EU. Most recently, the European Parliament passed a resolution listing several deficiencies in the agreement as proposed and asked for further negotiations.
While Privacy Shield is being reviewed and negotiated, other less streamlined options for legitimate data transfer will have to suffice such as model contract clauses, binding corporate rules, and consent agreements. Making the need for a Privacy Shield passage even more urgent, the Irish Data Protection Commissioner recently challenged the model contract clauses. As of writing this blog post a ruling by the European Court of Justice has not yet been issued on that matter.
For more information about Privacy Shield see the USCommerce.gov fact sheet.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.