As previously noted, in response to the European Court of Justice ruling in Schrems v. Data Protection Commissioner (Case C-362/14) striking down as inadequate the so-called “safe harbor” agreement that existed for more than a decade, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. Described as the EU-U.S. “Privacy Shield” agreement, that framework has now been vetted by EU Member States, modified in certain respects, and formally adopted on July 12, 2016 by the European Commission.
As adopted, the agreement contains a number of requirements with respect to data collection of personal information and cross-border data transfers, consists of Privacy Principles that companies must abide by, and sets forth commitments on how the arrangement will be enforced, including:
- Regular reviews by the U.S. Department of Commerce of participating companies to track compliance with the new rules and impose sanctions and possible removal from the complying companies.
- Limitations of privacy data access by public authorities for law enforcement and national security purposes. Indiscriminate mass surveillance of personal data transferred to the US under the EU-U.S. Privacy Shield arrangement is prohibited and bulk collection of data is only allowed under specific preconditions and should be as targeted and focused as possible.
- The establishment of a system to lodge any complaints about data collection through an ombudsman process established by the US Department of State, as well as the creation of alternative dispute mechanisms for citizens to petition companies concerning the handling of their personal data.
Since presenting the framework of the Privacy Shield back in February 2016, the EU Commission has received comment from European data protection authorities, the European Data Protection Supervisor, and the European Parliament. The EU Commission also continued working with the U.S. government to reach specific clarifications on bulk collection of data, the Ombudsperson mechanism, and on the explicit obligations of companies with respect to retaining and forwarding data.
In the United States, the Privacy Shield requirements will be published in the Federal Register and its operation will be overseen by the U.S. Department of Commerce. Once companies have had an opportunity to review the specific requirements they will be able to certify with the U.S. Department of Commerce that they are in compliance starting August 1, 2016.
Although the agreement on the specific requirements of the Privacy Shield is a welcomed announcement for companies in the aftermath of the Schrems decision, legal challenges to the Privacy Shield are certain to follow from privacy groups and EU citizens, leaving a cloud of uncertainty over whether the new protections are sufficient to overcome objections based on Europe’s fundamental right to privacy afforded to its citizens.