Recent News - Privacy Shield Could Get Transatlantic Data Sharing Back on The Up and Up

Bookmark and Share

Mar 01

Annie Allison

Privacy Shield Could Get Transatlantic Data Sharing Back on The Up and Up

Posted by Annie Allison

Following the “fall” of the US-EU Safe Harbor Agreement a few months ago, it looks as if EU and US officials have finally reached a plan to help US companies comply with EU data protection rules for transatlantic data transfers and sharing.

The new plan, aptly named the EU-U.S. Privacy Shield, aims to offer strong and enforceable protections for personal data in the EU.  While the EU-U.S. Privacy Shield Framework is still in the approval process, here’s a brief look at the proposed new key elements for companies planning to certify under the Framework:

  • U.S.-based companies can self-certify under the Privacy Shield Framework, and in doing so must publicly commit to complying with its requirements.
  • Privacy Shield participating companies must include notice about their certification in their privacy policies, making their commitment enforceable under U.S. law.
  • Participating companies must also include a link to the Department of Commerce’s Privacy Shield website and a direct link for EU individuals to use if they want to make complaints about personal data use.
  • Participating companies must respond to violation complaints within 45 days.
  • EU individuals will have a private right of action in U.S. state courts for violations or misrepresentations by companies purporting to follow the Framework.  Companies must also agree to binding arbitration at the request of the EU plaintiff.
  • The FTC has committed to vigorously enforce the Privacy Shield Framework.
  • Privacy Shield participants must limit collection of personal information to only that personal information absolutely necessary for the company to fulfill its purpose.
  • If a company leaves the Privacy Shield Framework, it must regularly certify that it will uphold its prior privacy commitments for any personal data that it retains after cancelling its certification.

The Privacy Shield is not good-to-go just yet - EU member states still need to approve the agreement, which is not expected to be contentious.  Still, several data protection experts, including Max Schrems, who’s own case ultimately invalidated the original Safe Harbor framework , have raised concerns about whether this new Privacy Shield will pass muster.  Schrems tweeted  that the new Privacy Shield amounts to little more than putting lipstick on a pig!   

Schrems points out that there are still exceptions in the Privacy Shield allowing the U.S. to collect data “in bulk” (for example, for counterterrorism purposes or detecting and countering threats to U.S. or allied armed forces), despite the fact that the European Commission was clear that no bulk-based surveillance activity will be acceptable under EU privacy law.

Hoping to alleviate concerns, U.S. Secretary of State John Kerry noted in a letter to EU justice commissioner Vera Jourova that the Privacy Shield Framework requires a new ombudsman to act as a first point of contact for EU individuals concerned that the American government has misused their data.  The EJC has indicated they will closely monitor the new Privacy Shield to make sure that EU privacy rights are upheld in the U.S. 

No agreement of this magnitude is ever going to perfect or fully satisfy the concerns of every faction pushing for privacy, but a plan that aims to better protect EU personal data, while providing transparency and clearer guidelines for U.S. companies trying to conduct business in the EU, is far better than no plan at all.