Say Hello to the EU-US Privacy Shield Framework

In October 2015, the European Court of Justice invalidated the International Safe Harbor Privacy Principles which were established in 2000. The Safe Harbor Privacy Principles allowed certified U.S. companies to receive personal data of EU residents in compliance with EU cross-border transfer rules. While many rejoiced the invalidation, numerous legal experts predicted that the invalidated Safe Harbor Privacy Principles would quickly be replaced. The legal experts were right.

The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. After more than two years of negotiations, on July 12, 2016, the framework was adopted by the European Commission and went into effect the same day. View the full text of the EU-US Privacy Shield framework. The U.S. Department of Commerce Secretary, Penny Pritzker and EU Justice Commissioner Věra Jourová announced the deal together in Brussels. Jourová was quick to point out that the EU-US Privacy Shield is fundamentally different from the previous Safe Harbor arrangement because of the annual joint review, which allows the EU to address any issues as they arise. Jourová went on to say “it brings stronger data protection standards that are better enforced, safeguards on government access and easier redress for individuals in case of complaints.” The EU-US Privacy Shield received quick praise from both Microsoft and Google amongst other global technology companies.

The purpose of the EU-US Privacy Shield is to impose stronger obligations on United States companies to protect Europeans’ personal data. The EU-US Privacy Shield contains requirements where the United States must monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. In fact, the EU-US Privacy Shield even includes written commitments and assurances regarding access to data by public authorities.

For Europeans, the EU-US Privacy Shield is a victory because it requires more transparency about transfers of personal data to the United States and stronger protection of personal data. Under the EU-US Privacy Shield, the United States Department of Commerce is charged with conducting “regular reviews” to ensure compliance. The EU-US Privacy Shield also makes it easier and more cost effective for Europeans seeking to pursue a complaint. Any European that believes that his or her privacy rights have been violated can file complaints with national data protection agencies, who will then forward them to the Department of Commerce or the Federal Trade Commission (FTC), or as a last resort, through an arbitration mechanism.

Speaking of the FTC, a company’s failure to comply with the EU-US Privacy Shield Principles is enforceable under Section 5 of the FTC Act prohibiting unfair and deceptive acts. The FTC has outright indicated that “The FTC has committed to make enforcement of Framework a high priority, and will work together with EU privacy authorities to protect consumer privacy on both sides of the Atlantic.”

For United States companies, the EU-US Privacy Shield could become a nightmare. Amongst other things, the EU-US Privacy Shield requires United States companies to: self-certify annually that they meet the requirements, display a privacy policy on their website, respond promptly to any and all complaints, and in certain instances, cooperate and comply with European Data Protection Authorities.

The EU-US Privacy Shield Framework recently launched its new website that is filled with valuable information that everyone should take the time to read. The United States Department of Commerce has also created a “Fact Sheet” with an overview of the protections provided and how the program works. View the easily accessible online “Fact Sheet”.

The new EU-US Privacy Shield is no joke and needs to be taken seriously by all online businesses to evaluate whether the EU-US Privacy Shield applies and how to be compliant. EU-US Privacy Shield needs to be carefully evaluated along with the companies’ data transfer practices to decide whether self-certification to the Privacy Shield is the way to go. My office is always happy to discuss the new EU-US Privacy Shield with both existing clients and those individuals and businesses that are seeking additional information or legal representation.