After two years of negotiations, the European Commission and United States of America (the "U.S.") have unveiled the replacement to the U.S.-EU Safe Harbor Framework (the "Safe Harbor"), known as the EU-U.S. Privacy Shield (the "Privacy Shield").
When U.S. companies engage in trade and commerce with the European Union (the "EU"), the personal information of EU citizens is often transferred to the U.S. Prior to October 2015, U.S. companies protected the data of EU citizens by complying with the requirements of the Safe Harbor. However, on October 6, 2015, the Court of Justice of the European Union declared that the Safe Habor was invalid. After this decision, the U.S. and EU began negotiations to develop a new framework for transatlantic data transfers, which the European Commission revealed on February 2, 2016 as the Privacy Shield. The intention of the Privacy Shield is to ensure that when the personal information of EU citizens is transferred to U.S. companies under the Privacy Shield, such personal information will receive equivalent data protection standards to those standards that exist in the EU. On February 29, 2016, the European Commission released a draft adequacy decision and the legal texts that will form the Privacy Shield, including written assurance by the U.S. government to enforce the agreement and the Privacy Shield Principles, that is, the principles that participating U.S. companies will be required to follow (the "Privacy Shield Principles")1.
The decision to enter the Privacy Shield is voluntary. U.S. companies that wish to rely on the Privacy Shield are required to self-certify, publicly declare their adherence to the Privacy Shield Principles and demonstrate full compliance. The U.S. Department of Commerce (the "Department of Commerce") will keep an updated and publicly available list of the companies that have entered the Privacy Shield (the "List") and will remove from such List any companies that have voluntarily withdrawn or been removed due to non-compliance. U.S. companies that have entered the Privacy Shield must apply the Privacy Shield Principles to personal information transferred under the Privacy Shield. Additionally, companies that were removed from the List, but still retain personal information that was received while they participated in the Privacy Shield, must continue to apply the Privacy Shield Principles to such personal information.
The Privacy Shield Principles are broken down into seven...