Yesterday, the European Commission announced that EU and US officials had reached an agreement to implement a program known as the EU-US Privacy Shield. Privacy Shield is designed to be the successor to the Safe Harbor program, which the European Court of Justice (CJEU) invalidated last October. The announcement brings some relief to the many companies that previously had self-certified their compliance with the Safe Harbor program and feared enforcement actions brought by European data protection authorities (DPAs) against those Safe Harbor adherents who had not adopted alternative means of legitimizing transatlantic data transfers after the CJEU’s decision. However, as the Privacy Shield would not become effective for at least several more months, such enforcement actions are, theoretically, still possible.
While details of the Privacy Shield program are only just emerging, the European Commission’s announcement did highlight a few important details and general themes. It should be noted that the European Commission’s press release was vague as to many of these points, and the text of the forthcoming adequacy decision, as well as additional guidance by EU and US agencies, should help resolve some of the ambiguities. Regardless, potential Privacy Shield participants should take note of these points and consider how they may affect their businesses. Specifically:
- US companies will face “stronger obligations” to protect Europeans’ personal data, and must “publish their commitments” to data protection. While companies had to publish a compliant privacy policy and self-certify in order to demonstrate their compliance with the Safe Harbor principles – a relatively straightforward process that resulted in a company’s name being added to a compliance list on the Department of Commerce’s website – it remains to be seen what will be required of companies that wish to “publish their commitments” to the Privacy Shield principles, as well as the nature of the “stronger obligations” for data protection.
- The US Department of Commerce and Federal Trade Commission will engage in “stronger monitoring and enforcement” of companies’ data protection practices. What this “stronger monitoring and enforcement” will entail remains to be seen.
- The US has provided “written assurances” that the ability of national security and law enforcement authorities to access personal data “will be subject to clear limitations, safeguards and oversight mechanisms,” and that the US government will not engage in “indiscriminate mass surveillance” of personal data transferred to the US under the Privacy Shield arrangement. As the CJEU’s October decision showed, the extent of US government surveillance of personal data was a major concern within the EU and was one of the primary reasons why the Court invalidated the Safe Harbor program. It looks like the Privacy Shield may represent an attempt to mitigate some of these concerns.
- Anyone who feels that their personal data has been misused under the Privacy Shield program will have opportunities for redress. The Judicial Redress Act in the US, once enacted, should help fulfill this commitment. Europeans also will be able to contact an Ombudsperson with any complaints about potential data misuse. The US apparently has committed to designating an ombudsperson in the coming weeks.
- The EU and US will engage in an “annual joint review” in order to assess the implementation of these measures.
The Privacy Shield likely will not go into effect until at least April, as it still must be approved by the EU member states. In the meantime, expect to see privacy advocates and consumer groups file legal actions challenging the new program’s validity. Check back here for the latest developments.