Attorneys in WilmerHale's Cybersecurity, Privacy and Communications Practice recently wrote about the new EU-US Privacy Shield rolling out to replace Safe Harbor. We wanted to share this content with our startup audience as for some of you it could have an impact on how you do what you do.
After months of debate about the fate of the US-EU Privacy Safe Harbor that thousands of companies used to lawfully obtain personal data from the European Union, we finally have some details about the successor mechanism for handling transatlantic data transfers. Dubbed the "EU-US Privacy Shield," the new voluntary framework envisions a more active role for government officials and regulators on both sides of the Atlantic. The text of the new arrangement is expected to become available in the coming weeks.
A press release from the European Commission explains that the new arrangement will impose: (1) strong obligations on companies handling Europeans' personal data and robust enforcement; (2) clear safeguards and transparency obligations on US government access; and (3) effective protection of EU citizens' rights with several redress possibilities. In short, the US Department of Commerce has explained that the framework aims both to encourage additional commercial privacy protections and oversight and to address European concerns regarding US government surveillance practices.
What safeguards are envisioned?
Under Privacy Shield, the Department of Commerce, Federal Trade Commission (FTC), and EU Data Protection Authorities (DPAs) will conduct an annual review of the new framework. Unlike the Safe Harbor, officials expect to make periodic changes to the framework. The Department of Commerce will be given additional resources to supervise compliance with the Privacy Shield. It will monitor whether companies have published their commitments under the framework and will be more involved in resolving consumer complaints. EU citizens will have access to additional avenues to resolve privacy concerns at no cost to them. New deadlines for responding to complaints will be imposed, and participating US companies must commit to participating in binding arbitration as a matter of last resort. Further arrangements will be made among the FTC and DPAs with respect to their individual capacities to address individual complaints and other broad privacy concerns. DPAs will also have a stronger role in policing the new framework. Companies relying on the Privacy Shield...