Update on Privacy Shield Posted by Hugh on 01 March 2016

The EU-U.S. Privacy Shield imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbor framework invalid. The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities.

It includes, for the first time,
• Written commitments and assurances from US authorities regarding their access to personal data
• Strong obligations on US companies and robust enforcement by FTC and Dept of Commerce
• Greater transparency regarding the levels of access to EU citizens' data
• New oversight mechanisms to ensure US companies abide by the Privacy Shield Principles (more on these later)
• Sanctions or exclusion of companies if they do not comply.
• Tightened conditions for onward transfers.

EU citizens will have several redress possibilities:
• Directly with the company: US companies must reply to complaints from EU citizens within 45 days.
• Alternative Dispute Resolution: free of charge.
• With the Data Protection Authority: they will work with U.S. Department of Commerce and Federal Trade Commission to ensure unresolved complaints by EU citizens are investigated and swiftly resolved.
• Privacy Shield Panel: As a last resort, there will be an arbitration mechanism to ensure an enforceable decision.

What will it mean in practice?

For US-based companies:

• Required to self-certify that they meet the requirements.
• Self-certification will be renewable annually
• Must display a privacy policy on their website.
• Must reply promptly to any complaints.
• When handling HR data of EU citizens, must co-operate and comply with European Data Protection Authorities.

For European citizens:

• More transparency about transfers of personal data to the U.S. and stronger protection of their personal data.
• Easier and cheaper redress possibilities in case of complaints —directly with the US authorities or with the help of their local Data Protection Authority.

Clear safeguards and transparency obligations:
• For the first time, EU citizens will have written assurance from the U.S. that any access of public authorities to personal data will be subject to clear limitations, safeguards, and oversight mechanisms.
• U.S authorities affirm, in writing, the absence of indiscriminate or mass surveillance.
• Companies will be able to report approximate number of access requests.
• New redress possibility through EU-U.S. Privacy Shield Ombudsperson mechanism, independent from the intelligence community, handling and solving complaints from individuals.

Annual joint review mechanism:

• Its objective will be to monitor the functioning of the Privacy Shield and U.S. commitments, including as regards access to data for law enforcement and national security purposes
• The review will be conducted by the European Commission and the U.S. Department of Commerce along with associating national intelligence experts from the U.S. and European Data Protection Authorities
• There will be an annual Privacy Summit with NGOs and stakeholders on developments in the area of U.S. privacy law and its impact on EU citizens
• There will be an annual Public Report by the European Commission to the European Parliament and the Council, based on the Annual Joint Review and other relevant sources of information (e.g. transparency reports by individual US companies).