The European Commission has approved the EU – U.S. Privacy Shield to replace the Safe Harbor program invalidated by the European Court of Justice last year in Schrems v. Data Protection Commissioner. The Privacy Shield governs the transfer of personal information from the European Union to businesses in the United States. Indeed, it is apparent from the formal approval documents that the European Commission and the U.S. Department of Commerce made great efforts to address the procedural and substantive deficiencies identified in Schrems as well as criticisms raised by the EU’s data protection commissioners.
Key new requirements of the Privacy Shield for businesses include:
- disclosing more information in their privacy policies,
- introducing additional recourse mechanisms for data subjects for Privacy Shield violations, and
- limiting data retention based on the original purposes for data collection.
These new requirements may prove challenging for many businesses. The Safe Harbor framework required assurances that the transferee provided an equivalent level of protection to the Safe Harbor. Whereas, the Privacy Shield requires data holders obtain privacy protective contracts from their business partners, even if the contractor participates in the Privacy Shield or uses other compliance mechanisms. Companies that commit to the Privacy Shield in the first two months of implementation will be given a nine-month grace period to bring existing data sharing arrangements with their vendors and partners into compliance.
The Privacy Shield increases EU regulatory oversight, including the imposition of an annual joint review of the program and a formal exit procedure in the event the Commission finds the program deficient. The joint review will involve reporting—albeit limited—on U.S. intelligence activities intended to address the European Court of Justice’s concerns that the Safe Harbor decision did not include an analysis of the civil liberties protections from surveillance authorities. The results of the first review will be critical to the viability of the Privacy Shield and the confidence of businesses to avail themselves of it, as both the Article 29 Working Party and the European Data Protection Supervisor will scrutinize the application and enforcement of the Privacy Shield closely.
The Privacy Shield kept the benefits of the Safe Harbor’s light administrative procedures and self-certification framework that provides an easier way to receive EU data subject information than other mechanisms like model contract clauses or binding corporate rules. But businesses seeking to avail themselves of this option should be aware of the more stringent requirements, as well as the increased pressure on Federal agencies to show to EU authorities that the framework will substantively protect the privacy of EU data subjects, especially in the first year.