On 29 February 2016, the US Department of Commerce and the European Commission released details of the new Privacy Shield, intended to replace Safe Harbor.
According to the documentation released, Privacy Shield includes an expanded set of privacy principles, increased operational vetting to be conducted by the US Commerce Department, a new role for EU data protection authorities, assurances of enforcement from the US Federal Trade Commission and a new arbitration model. Crucially, Privacy Shield provides for additional transparency and processes associated with U.S. government access to the personal data of EU individuals.
For most businesses, Privacy Shield will in practice be very similar to Safe Harbor and most of the Privacy Shield requirements follow the original Safe Harbor framework. (e.g. the self-certification requirements under Safe Harbor remain largely intact). However, some principles have been given more detail and/or updated. This means that businesses transitioning from Safe Harbor to Privacy Shield will need to take several further affirmative steps to bring their practices into compliance with Privacy Shield.
Under Privacy Shield the US Commerce Department will be more rigorous in confirming the accuracy of the contents of the self-certification and affirmatively searching for non-compliant organisations.
Individuals may raise complaints regarding the treatment of their personal information through several mechanisms.
US GOVERNMENT ACCESS
Privacy Shield documentation describes limitations on, and oversight of U.S. government access to the personal data of EU individuals, including a redress possibility through an Ombudsman mechanism within the Department of State, which will be independent from the national security services.
The ability of businesses on both sides of the Atlantic to benefit from a mechanism that provides easy and secure transatlantic data flows these efforts now depends on the response of EU regulators and courts to Privacy Shield.
The details just released will be reviewed by the EU’s Article 29 Working Party, which will render a non-binding opinion ‘within the next few months’. Taking that opinion into account, the full European Commission will then formally vote on the adequacy of Privacy Shield, at which point it will take effect.
This limitations on, and oversight of U.S. government access to the personal data of EU individuals will, no doubt, be closely scrutinised by EU privacy regulators and the long term viability of Privacy Shield will be dependent on the effectiveness of these controls.
This article is intended for informational purposes only and should not be relied upon as legal advice.