UPDATE: Since this article was drafted, Privacy Shield has been formally adopted and is now in effect. Please see this article for more information.
After four months of frantic negotiations, the U.S. and the European Union have a new deal on cross-border data transfer. The agreement, dubbed the “Privacy Shield,”replaces the Safe Harbor Framework, a bilateral agreement governing transfer of personal information that was struck down by the European Court of Justice in October of last year. News of the detente was greeted with a mixture of skepticism and relieved adulation, tempered with a dash of confusion. What do you need to know about Privacy Shield?
What’s Different About the Privacy Shield?
First thing to note is that details on the nascent Privacy Shield are scant, as the deal has yet to be approved and adopted (see below). But here’s what we know the Privacy Shield will encompass:
- Surveillance Restrictions: According to the European Commission, the U.S. has provided “written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms.” If that sounds a tad vague to you, you’re in good company. The Commission has provided little in the way of specifics as to these safeguards. All we know is that, under Privacy Shield, the office of the director of national intelligence will certify that the U.S. will not perpetrate “indiscriminate mass surveillance“ on Europeans’ personal data transferred Stateside. The Commission, in conjunction with the U.S. Department of commerce, will monitor the agreement annually to ensure adherence.
- Complaint Resolutions: Under Privacy Shield, EU citizens who feel their data is being misused have a variety of options. They can make individual complaints, and European Data Protection Authorities can refer such complaints to the Department of Commerce and the Federal Trade Commission. Companies will be required to respond within a strict timeframe. If the issue remains unresolved, alternative dispute resolution will be provided at no cost. Under the agreement, an ombudsman will also be installed at the Department of Commerce to handle questions involving access by national security agencies.
- Strengthened Protections: Companies handling European data will be subject to increased scrutiny from regulators on both sides of the Atlantic. Acceding organizations “will need to commit to robust obligations,” which they will publish for inspection by the FTC. While the full list of details has not yet been made public, chances are stringent privacy commitments are in the offing.
What Can I Do To Comply With the Privacy Shield?
Wait and see. Privacy Shield faces a long road to approval and adoption, with legal challenges from privacy activists and EU regulators waiting in the wings. The details of corporate obligations are too thin at the moment to provide concrete guidance on specific subjects. However, it is never too early to ensure your company is following best practices in the privacy arena. Here are a couple of important steps:
- Make your company safe: Data privacy is the definitive issue of the modern marketplace. Make sure your company handles issues such as personally identifiable information, privacy policies and legal enforcement with the utmost care and sophistication.
- Read up…and get ready: You should familiarize yourself with the EU’s position on individual privacy and the handling of data. This type of knowledge will come in handy when the full details of Privacy Shield are released.
For more information on Privacy Shield and any other privacy-related matter, contact us.
DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.