Data Transfer

Update: EU-US Privacy Shield

UPDATE: Since this article was drafted, Privacy Shield has been formally adopted and is now in effect. Please see this article for more information.

After four months of frantic negotiations, the U.S. and the European Union have a new deal on cross-border data transfer. The agreement, dubbed the “Privacy Shield,”replaces the Safe Harbor Framework, a bilateral agreement governing transfer of personal information that was struck down by the European Court of Justice in October of last year. News of the detente was greeted with a mixture of skepticism and relieved adulation, tempered with a dash of confusion. What do you need to know about Privacy Shield? 

What’s Different About the Privacy Shield?

First thing to note is that details on the nascent Privacy Shield are scant, as the deal has yet to be approved and adopted (see below). But here’s what we know the Privacy Shield will encompass:

  • Surveillance Restrictions: According to the European Commission, the U.S. has provided “written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms.” If that sounds a tad vague to you, you’re in good company. The Commission has provided little in the way of specifics as to these safeguards. All we know is that, under Privacy Shield, the office of the director of national intelligence will certify that the U.S. will not perpetrate “indiscriminate mass surveillance on Europeans’ personal data transferred Stateside. The Commission, in conjunction with the U.S. Department of commerce, will monitor the agreement annually to ensure adherence.
  • Complaint Resolutions: Under Privacy Shield, EU citizens who feel their data is being misused have a variety of options. They can make individual complaints, and European Data Protection Authorities can refer such complaints to the Department of Commerce and the Federal Trade Commission. Companies will be required to respond within a strict timeframe. If the issue remains unresolved, alternative dispute resolution will be provided at no cost. Under the agreement, an ombudsman will also be installed at the Department of Commerce to handle questions involving access by national security agencies.

What Can I Do To Comply With the Privacy Shield?

Wait and see. Privacy Shield faces a long road to approval and adoption, with legal challenges from privacy activists and EU regulators waiting in the wings. The details of corporate obligations are too thin at the moment to provide concrete guidance on specific subjects. However, it is never too early to ensure your company is following best practices in the privacy arena. Here are a couple of important steps:

For more information on Privacy Shield and any other privacy-related matter, contact us.


DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.

Aaron Murphy

Aaron Murphy is a law student at UC Berkeley School of Law. He is passionate about international law, information privacy, business law, financial transactions, and the intersection of philosophy, culture and American jurisprudence.

More Posts