Earlier today, the European Commission, the Executive Body of the EU, approved the adoption of the “Privacy Shield” data agreement covering the transfer of personal data from the EU to the United States. On July 8, the Article 31 Committee, which is comprised of representatives of the 28 EU member states and the EU Commission, issued a statement of strong support for the agreement, allowing its adoption today by the Commission. The Privacy Shield will replace, effective immediately, the Safe Harbor data agreement which last October the European Court of Justice invalidated. With the recent referendum in the UK, where the majority of voters decided to leave the EU, the Privacy Shield will apply to UK and U.S. data transfers until the UK formally exits the EU and/or until the UK and U.S. reach a separate agreement.
With the invalidation of the Safe Harbor, EU and U.S. representatives moved swiftly to negotiate a new agreement. On February 2, negotiators for the EU and U.S. reached an agreement aimed at allowing U.S. companies to continue to more easily transfer personal data from the EU to the U.S. EU data privacy regulators, known as the Article 29 Working Party, along with a committee comprised of EU member representatives reviewed the agreement and provided their advice to the Commission. The Article 29 Working Party strongly recommended that the agreement be strengthened.
As a result of the recommendation to strengthen the Privacy Shield, EU and U.S. negotiators revised parts of the agreement. The significant changes include the requirement that companies delete personal data which is no longer being used for its intended purpose. Also, companies receiving the data secondhand will have to adhere to the same guarantees of data protection as those signed up under the framework of the agreement. Finally, the U.S. negotiators provided more information as to the use of the bulk collection of data.
The Privacy Shield will provide U.S. companies with certain regulatory protections from enforcement action if they follow the guidelines of the agreement. To comply with the Privacy Shield Framework, U.S. companies would have to self-certify with the U.S. Department of Commerce and publish their commitments on how personal data would be processed and how individual rights would be guaranteed. These commitments would then be subject to U.S. law and enforceable by the U.S. Federal Trade Commission (FTC).
The Privacy Shield Framework is divided into four specific areas. Those are 1) EU Individuals’ rights and legal remedies, 2) Program oversight and cooperation with EU data protection authorities, 3) Key new requirements for participating companies, and 4) Demonstration of limitations and safeguards on national security and law enforcement access to data. A copy of the Framework can be accessed at: https://www.commerce.gov/privacyshield.
The first section of the Framework provides EU citizens with recourse should they believe the privacy or security of their personal data has been compromised. U.S. companies participating in the Framework must put into place a system to address and investigate complaints. Companies have 45 days in which to respond to the individual acknowledging receipt of the complaint. The individual can also pursue private causes of action through U.S. state courts and participating companies must agree to binding arbitration if the matter cannot be resolved through other means.
The next component of the Framework falls on the U.S. Department of Commerce and the FTC. The Department of Commerce has agreed to help ensure compliance with the program by verifying that participating companies submit all the necessary information, identifying and addressing false claims of participation, conducting periodic analyses of the program as well as other safeguarding activities. Both entities would also establish channels of communication with EU data privacy authorities to exchange information regarding complaints and program material and to provide enforcement assistance.
The third area addresses the requirements for participating companies. Companies must inform individuals about their rights to access their data, provide information on the obligations of the company to supply individual data to law enforcement and other authorities and the liability of the company in cases of the transfer of personal data to third parties. Companies must limit the transfer of personal information to the data that is needed for that purpose of processing and enter into agreements with third parties on the limitations and requirements that come with the transfer of the data. The Framework also outlines those instances when companies need to interact with the Department of Commerce and FTC.
Finally, under the Framework, the U.S. Department of Justice and U.S. intelligence agencies have provided the European Commission with information about the limitations of U.S. government agencies to access data held by U.S. companies and the policies in place to ensure the data is being accessed in adherence to U.S. laws. EU citizens who have questions about communications being monitored by U.S. intelligence officials will be able to submit their inquiries to an Ombudsman. The U.S. Department of State will establish the Ombudsman to respond to the inquiries about U.S. intelligence policies.
Worldwide ERC® will continue to keep you apprised of any new developments with the implementation of the Privacy Shield.