Please join us for a teleconference, "An Overview of the Recently Released Privacy Shield Documents and the Obligations of Participating Companies and Organizations," which will be hosted by Dr. Martin Braun and D. Reed Freeman, Jr. on Wednesday, March 2, from 12-1 p.m. ET (6-7 p.m. CT). You can RSVP here.
On Monday, February 29th, the European Commission and U.S. Department of Commerce released a collection of documents summarizing actions taken on both sides of the Atlantic to implement the new Privacy Shield framework. This framework is designed to replace the "Safe Harbor" regime that was invalidated by the European Court of Justice in October 2015. Of significant note, the Department of Commerce (Commerce) released a detailed set of Privacy Shield Framework Principles, as well as a letter from the Office of the Director of National Intelligence (ODNI) summarizing the legal framework around U.S. intelligence gathering.1
In response to these materials, the European Commission released a draft adequacy decision on the Privacy Shield. This draft decision explains how the new framework provides "an adequate level of protection" under EU law for personal data transferred to self-certified U.S. companies.2 The decision will need to be formally adopted and published in the Official Journal of the EU before the Privacy Shield can become an effective mechanism for data transfers.
To assist with that process, Commerce has produced a package of materials to support the Commission's adequacy finding. These materials discuss safeguards and legal limits imposed on both the intelligence community and the Department of Justice for access to personal data. They also include Privacy Shield commitments by a number of different agencies, including Commerce, the State Department, the Department of Transportation, and the Federal Trade Commission (FTC).
The new arrangement will increase obligations on participating U.S. companies and will require stronger monitoring and enforcement efforts by U.S. regulators, including the FTC. To take advantage of the Privacy Shield as a basis for transferring personal data from the EU to the United States, U.S. companies will need to:
self-certify adherence to the new framework's Principles (and re-certify annually thereafter); verify their public Privacy Shield commitments through either a self-assessment or an outside compliance review; agree to be responsive to inquiries for information about their Privacy Shield compliance; and respond to any individual complaints within forty-five days. The Privacy Shield framework further envisions several additional layers of consumer redress for EU individuals. The Principles also impose new transparency obligations and require new contractual commitments for onward data transfers.
In a letter to the European Commission, the FTC has committed to prioritizing referrals from both EU Member States and self-regulatory bodies regarding potential Privacy Shield noncompliance.3 The FTC will create a standardized referral process and provide additional guidance, and it intends to...