The New E.U.-U.S. Privacy Shield: What You Need to Know

February 5, 2016 Advisory

The European Union (E.U.) College of Commissioners has approved an agreement between the E.U. and the United States regarding the transatlantic data flow of E.U. citizens' personal information. Referred to as the E.U.-U.S. Privacy Shield, the new agreement replaces the prior Safe Harbor framework that had been in place for fifteen years prior to being invalided by the European Court of Justice last October.

E.U. law provides privacy guarantees to its citizens and prohibits transfers of personal data to countries outside the E.U. unless those countries offer an "adequate level of protection." While the U.S. Safe Harbor framework was meant to provide that protection, the European Court determined that the framework was inadequate in light of the U.S. government's surveillance policy. The E.U.-U.S. Privacy Shield was designed to address that concern. While the actual text of the agreement has not yet been released, three main aspects of the E.U.-U.S. Privacy Shield have been publicized:

1. Stricter Obligations on U.S. Companies Handling the Personal Data of Europeans: U.S. companies transferring personal data from the E.U. to the U.S. will be required to commit to "stronger obligations" on how personal data is processed and individual rights are guaranteed. The Department of Commerce will require companies to publish these promises and the Federal Trade Commission, through its current enforcement mechanisms, will ensure that companies abide by them. In addition, any U.S. company handling human resources data from Europe must commit to comply with decisions by European Data Protection Authorities.

2. Regulation of U.S. Surveillance Activities: According to E.U. Commissioner Vera Jourová, "[f]or the first time ever, the United States has given the E.U. binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms." While the details are still unknown, the U.S. apparently has agreed to access the personal data of Europeans only to the extent necessary and proportionate for national security purposes and not to employ indiscriminate mass surveillance. The European Commission and the U.S. Department of Commerce will conduct an annual review of the E.U.-U.S. Privacy Shield, which will include national intelligence experts discussing the extent of national security access.

3. Establishment of a Complaint Process: The E.U.-U.S. Privacy Shield provides several new venues for European citizens to raise complaints about data misuse by U.S. companies. A data privacy ombudsman position will be created within the U.S. State Department to follow up on complaints from E.U. citizens on U.S. surveillance and respond to inquiries about national security access to personal data. A free alternative resolution mechanism will be established to help resolve complaints. Also, European Data Protection Authorities may refer complaints to the Department of Commerce and Federal Trade Commission.

While its name evokes superhero imagery, the E.U.-U.S. Privacy Shield has generated mixed reactions so far, with some arguing that it does not put into place any new, concrete, legally binding mechanisms to protect the personal data of Europeans, and others maintaining that it corrects the issues with the Safe Harbor that were identified by the European Court of Justice. American companies engaged in the transatlantic data flow of EU citizens' should stay tuned for the release of the written agreement and guidance from U.S. government agencies to ensure that they comply with any new mandates.

Resources