Today, the European Union formally adopted the revamped EU-U.S. Privacy Shield, which had been preliminarily approved on Friday by the EU Member states. This news marks a significant step forward for the legal framework, negotiated by the U.S. Department of Commerce and the EC's Article 29 Working Party, to govern cross-border data transfers between the U.S. and EU member states. The long-awaited replacement program for the currently invalidated EU-U.S. Safe Harbor was given strong support by a nearly unanimous favorable vote on Friday, paving the way for formal adoption of the agreement today. In a joint statement released today, U.S. Secretary of Commerce Penny Pritzker and European Union Commissioner Věra Jourová applauded the outcome, stating that the Privacy Shield Framework "will facilitate more trade and collaboration across the Atlantic, and for consumers, the Framework will ensure access to the latest technologies, while providing strong privacy protections." European trade group DIGITALEUROPE, in its own release Friday, conceded that "negotiations have not been easy," but congratulated the EC and Department of Commerce on striking a deal that "offers greater clarity on data retention," "strengthens obligations for onward transfers," and gives greater clarity and autonomy to the contemplated U.S. Ombudsperson.
The Commerce Department will begin accepting certification requests on August 1, and posted a guide for self-certification for interested companies. Organizations seeking to self-certify will need to develop a Privacy Shield-compliant privacy policy that is publicly available (with some exception for human-resources data policies), regularly verified, and identifies an independent recourse mechanism available to data subjects at no cost. Self-certifying organizations will also need to identify a lead contact for handling data privacy questions, complaints, and access requests under the Privacy Shield. The final text of the Framework is available here, and the Commerce Department has provided a Fact Sheet that summarizes the key new requirements for participants. Significantly, the revised text and accompanying materials, released today, include new assurances regarding the collection of signals intelligence by the U.S. intelligence community, new examples of acceptable secondary data processing, a new requirement that the Department of Commerce update the Commission on relevant developments in U.S. law, clarification of anonymization, and an added notification requirements for third party data processors.
Ratification of the Privacy Shield had previously stalled for the same reason that scuttled Safe Harbor and was only resolved after U.S. government officials provided written assurances regarding limitations, safeguards and oversight of EU citizens' data surveillance, including a promise that mass collection of data would not be employed. While a major step forward, approval by the European Commission does not prevent challenges to the framework before the European Court of Justice, similar to the Schrems decision that prompted negotiations on the Privacy Shield. More than 4,000 companies were left to find alternative means for data transfers following Schrems, including Binding Corporate Rules, data subject consent, and model contract clauses. Commerce Secretary Pritzker sought to provide assurances of the Privacy Shield's enforceability, noting today that "[w]ith new privacy protections in place, we are confident the Framework will withstand further scrutiny."
It remains to be seen how the Privacy Shield will be implemented and revised to fit the EU-wide General Data Protection Regulation, which becomes enforceable in 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
