Shield Or Sword? The New EU-U.S. Privacy Shield

Author:Ms Lisa R. Lifshitz
Profession:Torkin Manes LLP

On Feb. 2, European and American officials announced they had met their deadline to come up with a new framework for transatlantic legal data transfer between the United States and Europe — a new "EU-U.S. Privacy Shield."

Ever since the Oct. 6, 2015 European Court of Justice ruling in Schrems v. Data Protection Commissioner invalidated the old Safe Harbor framework, data transfers between Europe and the U.S. were essentially deemed unlawful unless made subject to other mechanisms, including model form data transfer agreements or binding corporate rules. In that case, Max Schrems, a Facebook user and plucky law student, initiated a complaint after discovering that Facebook's Irish subsidiary transferred personal information of users to servers that were located in the U.S. without ensuring an adequate level of protection for such data. For the 4,465 multinational companies that relied on the U.S.-EU Safe Harbor list, the Schrems decision was a nasty shock. It woke the world to the realization that, following Edward Snowden's revelations regarding U.S. surveillance and the collection and transfer of personal information by the National Security Agency through its Prism Program, European data protection authorities were not going to sit idly by and allow transfers of data outside of Europe (in this instance, Ireland) to territories they deemed did not have adequate data protection laws. Negotiations to replace Safe Harbor began quickly after the decision and the Article 29 Working Party (composed of representatives from the data protection authority of each EU member state, the European Data Protection Supervisor, and the European Commission) set an ambitious deadline to replace the framework. They wanted it in place before individual data protection authorities could begin enforcing their rights to block individual data transfers outside the EU to countries whom they consider to provide inadequate data protection. The new EU-U.S. Privacy Shield will include the following:

Strong obligations on companies handling Europeans' personal data and robust enforcement

U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The U.S. Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the U.S. Federal Trade Commission. Additionally, any company handling human...

To continue reading