EU-US Privacy Shield: What Does this Mean for the Private Sector?

Its déjà vu all over again, the EU and US have announced that they have reached an agreement in principle on new rules governing transatlantic data transfers. They are now finalizing their agreement, which will be called the EU-US Privacy Shield. The EC announced that it will prepare a draft “adequacy decision” on the Privacy Shield in the upcoming weeks (ETA: end of February).

At this time, deal terms of this agreement related to the private sector are slowly being disclosed, such as:

• “Strong obligations” on companies that handle Europeans’ personal data, coupled with “robust enforcement”.
• US companies will be required to declare that based on their interpretation of the Privacy Shield and related laws, they are complaint with it. Companies that broke their terms of the agreement would face escalating sanctions, up to and including “removal from the list” of those firms legally allowed to collect EU citizens’ data and transfer it to the U.S.
• The Department of Commerce and the FTC will have significant roles in enforcing the terms of the agreement. It appears that the US Department of Commerce will be monitoring what companies publish as their commitments to protect and secure personal data, and the FTC will be in charge of enforcing data privacy enforcement under US law.
• There will be regulations for companies handling human resource data from Europe, requiring at a minimum that they comply with decisions by EU’s data protection authorities.
• There will be new complaint procedures for EU citizens to utilize to complain about misuse of their personal data in the US, from making initial complaints to the particular US company, all the way to complaint procedures involving the US Department of Commerce and FTC.

The Privacy Shield has already received criticism. Some are arguing that it is really not an agreement/treaty, but a letter of understanding or pledge. Others argue that it will be stricken down by European Court of Justice.

As this all works itself out over the next several months, the Article 29 Working Party, the body made up of representatives of individual European Member States’ data protection authorities (DPAs), has announced that it has agreed to allow more time for the EU and US to finalize the Privacy Shield and will not be taking enforcement action against companies that are using alternative transfer mechanisms (contracts) in the wake of last year’s Safe Harbor strike down (Schrems).

We will need to actually see the Privacy Shield language in order to provide compliance advice. However, in the interim, we will continue to monitor the finalization of this agreement (ETA: end of April) and provide updates to you.