Understanding the EU/US Privacy Shield and Its Impact on Business
The US/EU Safe Harbor framework has been invalidated, but a new agreement known as the EU/US Privacy Shield is in the process of being implemented. The new agreement introduces a series of limitations on the processing of European data that will have serious implications for U.S. companies handling European citizen data. Here is what this new agreement entails, what it will mean in practice, and what you should know going forward.
EU/US Privacy Shield's Background
Since 2000, the data transfer agreement known as the Safe Harbor framework enabled the free transfer of data between Europe and the US. However, in October of 2015, the European Court of Justice struck down this agreement, arguing that it failed to safeguard the privacy of European citizens.
The challenge first came before an Irish court from EU citizen activist Max Schrems. Given revelations about mass surveillance conducted by the NSA, he claimed that Facebook had violated his privacy by storing and processing his data within the US.
The Irish court initially rejected Schrems' challenge based on the existence of the Safe Harbor framework, However, when the case next went to European Court of Justice, this court sided with Schrems, and subsequently ruled the Safe Harbor framework invalid.
US and EU authorities scrambled to craft a new framework that would enable data transfer between the US and Europe. In February of 2016, authorities from the EU and US agreed on the EU/US Privacy Shield framework and released the full text of the agreement. On February 29, 2016, the European Commission released the full draft of the "adequacy decision" on the new Privacy Shield agreement, indicating the Commission's approval of the draft. Despite progress on this new agreement, it still requires full ratification by the EU and further implementation by US authorities.
What the EU/US Privacy Shield Framework Entails
For thousands of tech companies and other businesses, it’s important to know what the EU/US Privacy Shield not only requires of them, but how governments will approach this agreement. There are four main tenets involved in the EU/US Privacy Shield agreement, which include the following:
- Robust enforcement – The new agreement is meant to ensure companies comply with rules governing data in a transparent manner. The EU/US Privacy Shield agreement will ensure that companies respect the stipulations within the agreement, and include mechanisms such as sanctions or exclusion for failure to comply.
- Safeguards protecting against U.S. government access – The U.S. government has provided the EU with written assurances that access to data is subject to safeguards, limitations and strict oversight. Furthermore, an Ombudsperson mechanism inside the U.S. State Department will be established to receive and solve complaints from individuals.
- Redress available to EU citizens – The new agreement requires companies to resolve complaints within 45 days. EU citizens can pursue Alternative Dispute Resolution free of charge by filing complaints with National Protection Authorities in their own countries, who will then work with the Federal Trade Commission for investigation and resolution. For complaints that go unresolved, an arbitration mechanism will also be in place as a last resort.
- Annual review mechanism – The European Commission, the U.S. Department of Commerce and both U.S. and European Data Protection Authorities (DPAs) will oversee an annual review of the Privacy Shield. An annual privacy summit will also be held regarding developments in U.S. privacy law and surveillance, and their impact on Europeans. Each year, the European Parliament will issue a public report.
There are also key differences between the old Safe Harbor agreement and the new agreement. The EU/US Privacy Shield will include stronger obligations for companies in the U.S. to protect European citizen data, and introduces increased oversight and monitoring by government agencies on both sides of the Atlantic.
What It Means in Practice
For American companies, it’s important to understand how the new agreement will change the way they handle European data. Here is what is now required:
- Businesses must now self-certify on an annual basis that they meet all obligations under the new agreement.
- Companies must clearly display a privacy policy on their website.
- Companies must promptly respond to individual complaints.
- Companies that handle human resources data must cooperate and comply with European DPAs.
In addition, the U.S. Department of Commerce will verify that companies' privacy policies are in line with Privacy Shield stipulations. There will also be a list maintained of Privacy Shield members, and companies are subject to removal from this list.
Next Steps in the Agreement
At this point, a committee with representatives of the European Member States and the DPAs will provide their opinions before a final decision on the agreement is made. The EU Council and the European Parliament must still approve the agreement as well before it goes into effect. Challenges are still expected to the agreement, and may hinder its full implementation.