The European Commission has today formally adopted the EU-US Privacy Shield, the much-anticipated replacement to Safe Harbor that will allow the transfer of EU data to the US. The Shield is effective today, and US companies will be able to certify their compliance starting August 1.
Safe Harbor was killed off last October by the European Court of Justice (ECJ) in response to concerns that EU personal data located in the US was open to US National Security Agency surveillance and therefore could no longer meet EU privacy standards.
Following the demise of Safe Harbor, all transfers of EU data to the US have required additional safeguards beyond those outlined in the old Safe Harbor agreement, either by obtaining the consent of the data subject or through the use of EU Standard Clauses or Binding Corporate Rules (BCRs).
The EU-US Privacy Shield has been years in the making, with the ECJ decision on Safe Harbor serving to accelerate existing negotiations between the parties that had stalled on the issue of national security.
The Shield follows the same path as Safe Harbor, plugging the shortfalls in US data privacy laws with a voluntary scheme where companies will self-certify their compliance to a stringent framework of privacy standards. The Shield, however, imposes much stronger obligations on US companies to protect EU data than the old Safe Harbor rules. Obligations under the new Shield include annual self-certifications declaring a company’s commitment to adhere to the principles of the Shield, the requirement to display a privacy policy on the company’s website, a responsibility to promptly respond to complaints, and the need to cooperate with European data protection authorities.
The US Department of Commerce will have the responsibility to undertake regular reviews to ensure compliance and has the power to apply sanctions. These sanctions may include the removal of a company from the authoritative list of US organizations that have self-certified to the Department of Commerce.
EU data subjects will have the right to file complaints through their local data protection authorities, who will have a responsibility to pursue the matter with the Department of Commerce.
Issues relating to national security are to be addressed by an Ombudsperson (not the Department of Commerce), who will operate independently from the intelligence services and report to the US Secretary of State. The Shield is underpinned by written assurances from the US that there will be no mass surveillance activities. However, an assurance is not the same as a legal provision, and the US definition of “mass surveillance” will likely be challenged by European privacy activists.
In other words, the Privacy Shield circus is likely to rumble on. …
By Stuart Buglass, VP Consulting