On February 2, 2016, EU and US authorities reached an agreement in principle on a new framework for transatlantic data transfers, dubbed the "Privacy Shield." In a nutshell, the Privacy Shield aims to create a higher level of protection for EU citizens' personal data, and to provide some legal certainty for companies engaging in transatlantic data transfers. While the details are still being worked out, there are important steps companies can take now to prepare for the changes. We'll run through the key elements of the Privacy Shield and let you know how to get ahead of the curve.
The Privacy Shield agreement comes in the wake of the European Court of Justice's invalidation in October 2015 of the then-existing Safe Harbor data transfer agreement on the ground it failed to adequately protect the privacy rights of EU citizens, primarily in light of the Edward Snowden revelations. Shortly after the decision, the Article 29 Working Party, consisting of EU data protection authorities ("DPAs"), announced that if a new agreement wasn't reached by the end of January 2016, individual DPAs in Europe could initiate enforcement actions against companies that continued to rely on the invalidated Safe Harbor. In its latest press statement accompanying the release of the Privacy Shield documents, the European Commission confirmed that the new Privacy Shield framework satisfies European Court of Justice requirements. The deal now must be approved by the EU's College of Commissioners, with reports suggesting it could be adopted by June or early summer.
Key Elements of Privacy Shield
The Privacy Shield Principles. Key to the new Privacy Shield are seven principles with which US companies must agree to comply when handling Europeans' personal data: i) notice; ii) choice; iii) security; iv) data integrity and purpose limitation; v) access; vi) accountability for onward transfers; and vii) recourse, enforcement and liability. Stronger Obligations, Monitoring, and Enforcement: Companies must certify to the US Department of Commerce that they agree to and will comply with the Privacy Shield Principles. The Department of Commerce will require companies to publish their Privacy Shield commitments via their privacy policies. The FTC will have jurisdiction (as it does now) to enforce Privacy Shield representations made in company privacy policies. There will be stricter conditions for onward transfers of data to agents and other third-party...