On February 29, 2016, the European Commission issued the legal texts that will implement the EU-U.S. Privacy Shield. These texts include a draft adequacy decision from the European Commission, Frequently Asked Questions and a Communication summarizing the steps that have been taken in the last few years to restore trust in transatlantic data flows.
The agreement in support of the new EU-U.S. transatlantic data transfer framework, known as the EU-U.S. Privacy Shield, was reached on February 2, 2016, between the U.S. Department of Commerce and the European Commission. Once adopted, the adequacy decision will establish that the safeguards provided when transferring personal data pursuant to the new EU-U.S. Privacy Shield are equivalent to the EU data protection standards. In addition, the European Commission has stated that the new framework reflects the requirements that were set forth by the Court of Justice of the European Union (the “CJEU”) in the recent Schrems decision.
The EU-U.S. Privacy Shield
The new framework provides a response to the concerns that have been raised by the European Commission and the CJEU with respect to transatlantic data transfers. It contains stronger commitments that must be undertaken by companies in the commercial sector, but also significant commitments with respect to the U.S. government’s access to personal data. The four most important aspects of the Privacy Shield are:
Enhanced obligations on companies and robust enforcement. Companies that are willing to transfer personal data from the EU to the U.S. must accept more stringent obligations regarding the processing of personal data and how individuals’ rights are guaranteed. Among other limitations introduced by the new framework, onward data transfers will be subject to more onerous requirements and liability provisions.
In addition, the Privacy Shield will include stricter oversight mechanisms to help ensure companies abide by their commitments, including regular monitoring by the U.S. Department of Commerce. In addition, companies will face severe sanctions or exclusion from the framework if they fail to comply.
Limits and safeguards regarding access to personal data by the U.S. government. The European Commission has obtained written assurances from the U.S. government (i.e., the Department of Justice and the Office of the Director of National Intelligence) that access to personal data by government authorities for law enforcement, national security and other public interest purposes will be subject to clear limitations, safeguards and oversight mechanisms.
Effective protection of EU citizens’ privacy rights and redress possibilities. Several affordable mechanisms to obtain individual redress will be available to data subjects who think their personal data has been misused under the new framework, whether via a direct complaint to the company or to their national data protection authority (“DPA”). Complaints made to a DPA will be referred to the U.S. Department of Commerce and the Federal Trade Commission for investigation. When receiving a complaint directly from individuals, companies must reply within 45 days. Companies handling personal data in the Human Resources context about European individuals must comply with the decisions of the competent DPA. In addition, companies also must designate an independent dispute resolution body to investigate and resolve individuals’ complaints and provide complimentary recourse to the individuals.
Further, in the context of a company’s certification, the Department of Commerce will verify that the company complies with the Privacy Principles of the Privacy Shield, and that it has designated an independent recourse mechanism. As a last resort, individuals will be able to bring their complaints to a newly-created Privacy Shield Panel, a dispute resolution body that can take binding and enforceable action against U.S. companies that have certified their adherence to the Privacy Shield.
EU citizens also will have a redress mechanism in the national security context. In particular, an independent Ombudsperson will be responsible for handling complaints and inquiries received from EU individuals regarding access to their data by national intelligence authorities. This redress mechanism will be extended beyond the EU-U.S. Privacy Shield and will be available to individuals for all data transfers to the U.S. for commercial purposes.
Annual joint review mechanism. The European Commission will annually monitor the functionality of all aspects of the EU-U.S. Privacy Shield, together with the U.S. Department of Commerce, EU DPAs, U.S. national security authorities and the Ombudsperson. Other sources of information, such as voluntary transparency reports, will also be used for monitoring the functionality of the framework. In the event that companies or public authorities do not comply with their commitments, the European Commission can activate a process to suspend the Privacy Shield.
Going Forward
The Commission encourages companies to prepare for the Privacy Shield so that they are in a position to self-certify to the new framework as soon as an adequacy decision is adopted by the Commission. In general, the various constituents involved in the new framework will be required to take the following actions in connection with the Privacy Shield:
U.S. Companies. U.S. companies must commit to comply with seven privacy principles, including (1) the Notice Principle, (2) the Choice Principle, (3) the Security Principle, (4) the Data Integrity and Purpose Limitation Principle, (5) the Access Principle, (6) the Accountability for Onward Transfer Principle, and (7) the Recourse, Enforcement and Liability Principle. In addition, the European Commission encourages companies to (i) select the EU DPAs as their complaint resolution mechanism under the Privacy Shield, and (ii) publish transparency reports on national security and law enforcement access requests regarding EU personal data.
U.S. Authorities. U.S. authorities will be responsible for enforcing the framework and respecting the limitations and safeguards established regarding access to personal data by law enforcement and for national security purposes. U.S. authorities also must handle complaints received from EU individuals in a timely and effective manner.
EU Data Protection Authorities. EU DPAs must ensure that individuals can exercise their rights effectively, including by transferring their complaints to the competent U.S. authority, as well as cooperating with the relevant U.S. authority. In particular, EU DPAs must assist complainants with cases brought in front of the Privacy Shield Panel, exercise oversight over transfers of EU HR personal data and trigger the Ombudsperson mechanism.
European Commission. The European Commission will adopt an adequacy decision that will be reviewed regularly, allowing the Privacy Shield to be consistently monitored, in contrast with the previous Safe Harbor.
Next Steps
An extraordinary plenary meeting of the Article 29 Working Party will be organized at the end of March 2016. After obtaining the non-binding opinion of the Working Party and consulting a committee composed of representatives of the EU Member States, a final decision by the College of Commissioners will be made. In the meantime, U.S. authorities will prepare for the implementation of the new framework.
FTC Chairwoman Edith Ramirez issued a statement in response to the release of the new framework. She said that “[t]he EU-U.S. Privacy Shield Framework supports the growing digital economy on both sides of the Atlantic, while ensuring the protection of consumers’ personal information. In providing an important legal mechanism for transatlantic data transfers, it benefits both consumers and business in the global economy.” Chairwoman Ramirez also emphasized the FTC’s role, saying that “the FTC will make enforcement of the new framework a high priority, and we will work closely with our European counterparts to provide robust privacy and data security protections for consumers in the United States and Europe.”
Read the Press Release of the European Commission.
Read the Fact Sheet on the EU-U.S. Privacy Shield.
For more information, visit the dedicated page on the European Commission’s website.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code