On February 29, the European Commission published its complete draft of the EU-U.S. Privacy Shield framework. The framework, if approved, will replace the invalidated Safe Harbor, which was the governing mechanism for the transfer of European personal data to the U.S. for commercial purposes. The framework has been criticized by members of the European Parliament and civil liberties groups in the United States.
The Privacy Shield keeps the basic self-certification mechanism of Safe Harbor, but contains new substantive requirements for U.S. businesses. Privacy Shield participants would need to meet a number of new requirements, as well as more exacting versions of old requirements.
- Privacy notices must include more information about Privacy Shield requirements than previously needed under Safe Harbor. Businesses will need to make clear their participation, identify redress mechanisms available to European Data Subjects, and explain under what circumstances it will disclose personal data to government agencies for law enforcement or national security purposes
- Participating businesses will fund a last resort arbitration system, in addition to providing other dispute resolution mechanisms to EU data subjects free of charge
- Third party data controllers will have to agree by contract to maintain Privacy Shield protections before a participating business can disclose personal information to them. This will be the case even if the third party independently meets EU data transfer requirements
- Participating businesses must continue to protect data collected under Privacy Shield – even if it later chooses not to re-certify or is disqualified from participating.
Federal agencies have also committed to stronger oversight of the Privacy Shield framework. The Department of Commerce has agreed to step up monitoring and to designate an official contact for European Data Protection Authorities to receive and respond to inquiries, inform them of potential violators, and facilitate resolution of complaints. The Federal Trade Commission has also pledged to step up enforcement, and both agencies will participate in a joint annual review of the framework with the European Commission and Data Protection Authorities.
To satisfy the European Court of Justice’s requirements from the Schrems decision, the Privacy Shield framework includes letters from Office of the Director of National Intelligence and the Department of Justice detailing U.S. regulation of national security surveillance and law enforcement access to data. The framework also establishes a State Department Ombudsman responsible for addressing grievances of EU data subjects over specific alleged surveillance abuses.
Privacy groups and European lawmakers in the European Parliament’s civil liberties committee viewed the framework’s safeguards against improper surveillance with skepticism. Committee members questioned whether commitments made about surveillance by the Office of the Director of National Intelligence and the Department of Justice were suffiently binding and enforceable. In addition, a number of civil liberties group sent a letter expressing their view that legislation from Congress is the only way to guarantee that European personal data would be protected from indiscriminate surveillance.
The European Commission hopes to finalize the Privacy Shield this summer. Before that can happen, the Article 29 Working Party has to give its opinion on the framework, and representatives from EU Member State governments must assent to it. The view of the Working Party is important, despite their inability to officially reject the framework, because the individual Data Protection Authorities that make up the working party can challenge the framework in future court actions. While a negative opinion of the framework is not fatal to finalization, it could signal future challenges to the framework in European courts.