Safe Harbor 2.0 Agreement Reached; New Program To Be Named 'Privacy Shield'

Author:Ms Courtney M. Bowman
Profession:Proskauer Rose LLP

Yesterday, the European Commission announced that EU and US officials had reached an agreement to implement a program known as the EU-US Privacy Shield. Privacy Shield is designed to be the successor to the Safe Harbor program, which the European Court of Justice (CJEU) invalidated last October. The announcement brings some relief to the many companies that previously had self-certified their compliance with the Safe Harbor program and feared enforcement actions brought by European data protection authorities (DPAs) against those Safe Harbor adherents who had not adopted alternative means of legitimizing transatlantic data transfers after the CJEU's decision. However, as the Privacy Shield would not become effective for at least several more months, such enforcement actions are, theoretically, still possible.

While details of the Privacy Shield program are only just emerging, the European Commission's announcement did highlight a few important details and general themes. It should be noted that the European Commission's press release was vague as to many of these points, and the text of the forthcoming adequacy decision, as well as additional guidance by EU and US agencies, should help resolve some of the ambiguities. Regardless, potential Privacy Shield participants should take note of these points and consider how they may affect their businesses. Specifically:

US companies will face "stronger obligations" to protect Europeans' personal data, and must "publish their commitments" to data protection. While companies had to publish a compliant privacy policy and self-certify in order to demonstrate their compliance with the Safe Harbor principles - a relatively straightforward process that resulted in a company's name being added to a compliance list on the Department of Commerce's website - it remains to be seen what will be required of companies that wish to "publish their commitments" to the Privacy Shield principles, as well as the nature of the "stronger obligations" for data protection. The US Department of Commerce and Federal Trade Commission will engage in "stronger monitoring...

To continue reading