Last week, the European Commission announced they had reached agreement with the United States Department of Commerce on a new framework for the transfer of personal data of EU data subjects from EU member states to the U.S. The new data framework, called the EU-US Privacy Shield, attempts to address concerns cited by the European Court of Justice that caused it to invalidate the EU-US Safe Harbor last October.
The Privacy Shield will require participating businesses to make and publish their privacy commitments, though it is unclear exactly what substantive commitments will be required. Similar to the Safe Harbor framework, the Department of Commerce and the Federal Trade Commission will enforce those commitments. The new framework will also formalize dispute resolution mechanisms. Businesses will be encouraged to resolve disputes in house, but the Privacy Shield would establish a free (to the data subject) external dispute resolution mechanism. The framework also allow National Data Protection Authorities to refer complaints they receive to the Federal Trade Commission.
The Privacy Shield incorporates new mechanisms to address surveillance issues beyond FTC jurisdiction. In addition to binding written assurances from the U.S. that the processing of personal data for national security purposes is properly limited under clear rules, the new framework would establish an ombudsman in the State Department that will respond to inquiries about the Privacy Shield and address concerns and communications from European Data Authorities. The new framework also will include an annual US-EU joint review to ensure compliance with program requirements by the intelligence community.
The Commission will send a formal description of the agreement to the Article 29 Working Party, a group comprised of the National Data Protection Authorities of the European Union Member States. In their press release issued on Wednesday, the Working Party stressed the need for the agreement to meet key criterion ensuring that surveillance practices are limited, and that individuals have effective remedies to deal with any potential transgressions. The Working Party encouraged the commission to submit the formal arrangement by the end of February. After the Working Party has commented on the Privacy Shield and European Union member states approve the Commission will decide whether to formally approve the arrangement. In the meantime however, the Working Party will maintain its enforcement activities on a case by case basis and continue to honor other data transfer mechanisms such as Binding Corporate Rules and Model Contract Clauses.
Hanson Bridgett’s Privacy, Data Security and Information Governance Practice will monitor developments on the Privacy Shield as keep you informed as new details emerge.