United States: Digital Media, Technology & Privacy Alert >> EU-U.S. Privacy Shield To Start Accepting Certifications August 1

In February, negotiators from the European Commission and the United States announced an agreement, referred to as the "Privacy Shield," to replace the recently invalidated U.S.-EU Safe Harbor Framework for the transfer of EU residents' personal data to companies in the United States. After being reviewed by authorities in both jurisdictions for a number of months, EU and U.S. officials have officially announced their approval of the Privacy Shield as adequate to protect the privacy of EU citizens, and have made its final amended terms available to the public. To read a previous D&G Alert on the February announcement and background, click here.

New Framework Imposes Stronger Obligations

The new framework is intended to protect the fundamental privacy rights of EU individuals when their data is transferred to the United States, and ensure a legal certification process for U.S. businesses. The new Privacy Shield, which consists of seven Privacy Principles that companies must abide by and commitments on how the arrangement will be enforced, will be subject to an annual U.S. and EU joint review to enable authorities to tackle hurdles as they arise and address the ongoing issue of national security access

In its announcement of the agreement, the European Commission has also made available the final version of the EU's adequacy decision establishing the sufficiency of the new framework for protecting personal data transferred to the United States and outlining how the various requirements of the October 2015 European Court of Justice ruling invalidating the Safe Harbor mechanism have been addressed and satisfied.

In general, the framework imposes stronger obligations on companies in the United States to protect the personal data of individuals and requires stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission, including increased cooperation with the European Data Protection Authorities. The new arrangement includes, for the first time, written commitments and assurances by the United States that any access by public authorities to personal data transferred on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalized access or indiscriminate mass surveillance.

The Privacy Shield also requires regular reviews of participating companies by the Department of Commerce to confirm their continued compliance with the applicable data protection rules, and includes dispute resolution mechanisms for individual citizens who believe that their data has been misused under the Privacy Shield process. In particular, the possibility of redress for EU citizens whose data is transferred to the United States may now be handled by a new ombudsperson who functions independently from U.S. intelligence services.

Bottom Line

As of August 1, 2016, U.S. companies will be able to register to be on the Privacy Shield list and self-certify that they meet data protection standards set out by the new arrangement that exceed those under the old Safe Harbor. Businesses will need to carefully review these standards to ensure that they have mechanisms in place to ensure compliance, including procedures to respond promptly to consumer complaints and to cooperate, where necessary, with European Data Protection Authorities. Company registrations will need to be renewed every year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.