Following an initial agreement made in early February 2016, the European Commission has published texts that will constitute the “EU-U.S. Privacy Shield.” The new agreement, if approved and implemented, will provide a new option for legal transfers of personal data from the EU to the U.S., following the invalidation of the Safe Harbor framework.
According to the European Commission, “[t]he new framework reflects the requirements set by the European Court of Justice in its ruling from 6 October 2015.” Simultaneously, FTC Chairwoman Edith Ramirez stated “The EU-U.S. Privacy Shield Framework supports the growing digital economy on both sides of the Atlantic, while ensuring the protection of consumers’ personal information. In providing an important legal mechanism for transatlantic data transfers, it benefits both consumers and business in the global economy.”
The Privacy Shield has a variety of elements and requirements, only some of which existed in the old Safe Harbor Framework. The Privacy Shield’s requirements include:
- An organization must inform individuals about its participation in the program and disclose an increased number of details about its practices, including the expanded rights of individuals to seek dispute resolution, including binding arbitration, and the fact that the organization is subject to the investigatory and enforcement powers of the FTC and other regulators.
- The organization must offer individuals the opportunity to opt out from certain data uses and disclosures, and it must obtain express consent for the disclosure of certain uses of sensitive personal information.
- Many transfers to third parties are subject to notice and choice requirements, and now participating companies must contractually bind the data recipients to certain terms. In one significant departure from Safe Harbor, specific contractual provisions now are required not only with recipients who act as “agents” (i.e., third parties with no right to use the data for their own benefit) but also with “controllers” (i.e., third parties who can use the data for their own benefit).
- Security remains important. “Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.”
- Individuals have a right to access and correct personal information about them.
- Individuals’ complaints and disputes must be investigated and resolved at no cost to the individuals. Complaints must be resolved by companies within 45 days. EU citizens can also go to their national Data Protection Authorities, who will work with the U.S. regulators to ensure that complaints by EU citizens are resolved.
Regarding remedies and sanctions, the FTC has committed to “reviewing on a priority basis referrals alleging non-compliance with the Principles received from: (i) privacy self-regulatory organizations and other independent dispute resolution bodies; (ii) EU Member States; and (iii) the Department, to determine whether Section 5 of the FTC Act prohibiting unfair or deceptive acts or practices in commerce has been violated.” Additionally, there will be an annual joint review to monitor the functioning of the agreement.
A newly created ombudsperson will handle individual complaints from EU citizens who fear that their personal information has been unlawfully used by US national security agencies. The ombudsperson will keep the complainant apprised as to whether the matter has been properly investigated or remedied. Reuters has reported that U.S. Under Secretary of State Catherine Novelli will take this role.
According to the Commission, the next steps are, “a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision by the College.” A Commission adequacy decision, which establishes that a non-EU country ensures an adequate level of protection for personal data, must be adopted before the Privacy Shield takes effect. A full-fledged replacement of Safe Harbor may be close, but hurdles remain.