“Privacy Shield” to Replace Safe Harbor as a Path for Transatlantic Transfers of Personal Data

  • 2.25.2016

Attorneys in WilmerHale's Cybersecurity, Privacy and Communications Practice recently wrote about the new EU-US Privacy Shield rolling out to replace . We wanted to share this content with our audience as for some of you it could have an impact on how you do what you do.   

After months of debate about the fate of the US-EU Privacy that thousands of companies used to lawfully obtain personal data from the European Union, we finally have some details about the successor mechanism for handling transatlantic data transfers. Dubbed the “EU-US Privacy Shield,” the new voluntary framework envisions a more active role for government officials and regulators on both sides of the Atlantic. The text of the new arrangement is expected to become available in the coming weeks.

A press release from the European Commission explains that the new arrangement will impose: (1) strong obligations on companies handling Europeans’ personal data and robust enforcement; (2) clear safeguards and transparency obligations on US government access; and (3) effective protection of EU citizens’ rights with several redress possibilities. In short, the US Department of Commerce has explained that the framework aims both to encourage additional commercial privacy protections and oversight and to address European concerns regarding US government surveillance practices.

What safeguards are envisioned?  

  • Under Privacy Shield, the Department of Commerce, Federal Trade Commission (FTC), and EU Data Protection Authorities (DPAs) will conduct an annual review of the new framework. Unlike the , officials expect to make periodic changes to the framework.
  • The Department of Commerce will be given additional resources to supervise compliance with the Privacy Shield. It will monitor whether companies have published their commitments under the framework and will be more involved in resolving consumer complaints.
  • EU citizens will have access to additional avenues to resolve privacy concerns at no cost to them. New deadlines for responding to complaints will be imposed, and participating US companies must commit to participating in binding arbitration as a matter of last resort.
  • Further arrangements will be made among the FTC and DPAs with respect to their individual capacities to address individual complaints and other broad privacy concerns. DPAs will also have a stronger role in policing the new framework.
  • Companies relying on the Privacy Shield will likely have new transparency obligations and new contractual requirements regarding onward data transfers.

What commitments is the US making with respect to surveillance practices?  

  • The US Intelligence Community will describe in writing the constitutional, statutory, and policy safeguards that apply to the US government’s surveillance activities. The Intelligence Community also has confirmed that it will not engage in “indiscriminate mass surveillance” of personal data transferred under the Privacy Shield.
  • EU citizens will be given a formal channel for raising concerns about US government surveillance practices.
  • A “privacy ombudsperson” will be established within the US State Department to address issues raised by DPAs about US government surveillance practices.

What does this mean for your company?  

Precise details of what will be required of Privacy Shield participants remain unclear. It may be some time before the Privacy Shield is up and running. Importantly, the Privacy Shield agreement is still aspirational and will not provide a lawful data transfer mechanism until the European Commission reviews the proposed framework and issues a favorable “adequacy” determination signifying that it affords suitable protections that overcome perceived gaps in US data protection laws.

At present, transatlantic data transfers that rely only on the framework continue to be illegal, and it is an open question whether or how prior registrations under the will transfer to the new Privacy Shield program.

European privacy regulators have stated that companies can continue to use the existing transfer mechanisms such as binding corporate rules and model contracts until the regulators have completed their review of the Privacy Shield, which they currently expect to do by March/April 2016. The Article 29 Working Party, which represents the DPAs, has explained that it requires more information from the European Commission “in order to know precisely the content and legal bindingness of the arrangement and to assess whether it can be answer the wider concerns raised by [the] Schrems judgment” that invalidated the .

Finally, in light of the arguments that prevailed in the Schrems case, there may be additional legal challenges to the new framework, even if it is approved by the European Commission.