Many of you know that in October 2015 the European Court of Justice (ECJ) invalidated the Safe Harbor principles agreed to by the US and the European Union (EU) that facilitated the transfer of data of EU citizens to the US. For more on that you can read my earlier post on the subject. Even before the ECJ issued its judgment US and EU were working on what was informally referred to as “Safe Harbor 2.0”. Those efforts intensified over the past few months on account of the judgment.
On February 2, 2016 the negotiations bore fruit. Well, almost. On that date the EU announced that an agreement has been reached to replace the Safe Harbor with the “EU-US Privacy Shield”. While we have that great new metaphorically distinct name, we don’t actually have a formal agreement yet. Although the negotiators haven’t given us a document to pore over, they have described elements that the agreement will include. Those elements are:
- US companies moving data from the EU to the US must “commit to robust obligations on how personal data is processed and individual rights are guaranteed”.
- The US Federal Trade Commission (FTC) will monitor US companies’ compliance with the Privacy Shield, and will be able to enforce the agreement.
- US companies handling human resources data from the EU must comply with the decisions of European data protection authorities (DPA).
- “Clear limitations, safeguards and oversight mechanisms” applying to US public authorities’ access to EU citizens’ information. These will effectively eliminate indiscriminate mass surveillance of EU citizens. An annual joint review by the EU and US will monitor compliance.
- EU citizens will be able to lodge complaints with US companies, and those companies will have a deadline to respond.
- EU DPAs will be able to refer citizen complaints to the US Commerce Department and the FTC.
- EU citizen complaints about the misuse of their data can engage in alternative dispute resolution proceedings with the US company involved at no charge to them. The US Commerce Department has stated that companies will commit to arbitrating complaints as a last resort.
- An ombudsman will be created to investigate complaints regarding access of personal data by US national intelligence authorities.
The Privacy Shield clearly was created to address concerns in the ECJ’s judgment regarding generalized access to personal information by US authorities and the absence of any means for EU citizens to challenge the handling of their data. Whether the Privacy Shield resolves those concerns and truly proves to be a shield for US companies (as well as for EU citizens) remains to be seen. Until we have a draft framework to look at it will be difficult to analyze whether the Privacy Shield will pass muster with the ECJ. A legal challenge to the framework does seem likely though, so it is very possible the ECJ ultimately will end up deciding the issue.
What should companies do in the interim? Companies can still use model contract clauses and binding corporate rules to comply with EU law. Some have questioned the validity of these methods in light of the Safe Harbor decision. With that in mind, at the moment the only method of handling EU citizen data that is certain not to violate EU law is to store it in the EU and thereby avoid transferring it to the US altogether.
Once the Privacy Shield is implemented, US companies that elect to use it could end up having to respond to claims from EU citizens, EU DPAs, and the FTC. The expense this will create will be a powerful new incentive for companies to carry state-of-the-art cyber policies that provide sufficient coverage for regulatory claims.