EU and U.S. officials finally unveiled the full text of the proposed EU-U.S. Privacy Shield framework earlier this week. The agreement is the culmination of a five-month negotiation to address European concerns regarding mass surveillance and personal data protection issues surrounding transatlantic data transfers. The European Commission’s Article 29 Working Party must now review and approve it.
Privacy Shield replaces the Safe Harbor framework, which the European Court of Justice invalidated in October. That decision impacted nearly 4,000 United States companies that transfer data from the EU to the United States under Safe Harbor.
Under the provisions of Privacy Shield:
- Companies must self-certify annually that they meet its requirements
- The U.S. Department of Commerce will monitor all registered companies to ensure that their publicly facing privacy notices reflect Privacy Shield principles
- Companies that leave the program will still be required to follow its principles for as long as they use, maintain and store the personal data they received while they were participants
- There will be a 45-day response period for EU consumer complaints related to mishandling personal information
- In addition to directly contacting the company, EU consumers can submit their complaint to their data protection authority, which will coordinate with the U.S. Department of Commerce or the Federal Trade Commission to achieve a response within 90 days.
- Companies must offer an alternative dispute resolution process for consumers and provide details on said process in its privacy notice
- Participating companies that do not comply with the Privacy Shield framework will face sanctions, which can include fines and exclusion from the program.
The Story So Far
The origins of the Safe Harbor framework, agreed upon in July 2000, lie in the 1995 EU Data Protection Directive, which laid out seven data protection principles. Safe Harbor allowed companies to transfer data out of the EU if they annually self-certified their adherence to those seven principles. About 4,000 U.S. companies took advantage of the program as an alternative to binding corporate rules or model contractual clauses.
In October 2015, the European Court of Justice (ECJ) found that Facebook’s transfer of data from the EU back to the U.S. violated EU citizens’ privacy rights under the EU Data Protection Directive. and invalidated Safe Harbor in the process. The case arose in response to Edward Snowden’s revelations about the NSA’s PRISM program.
Shortly thereafter, EU authorities announced they would suspend enforcement campaigns against Safe Harbor-certified U.S. companies until February 2016, but reserved their rights to enforce the Data Protection Directive in the event that a replacement was not implemented before that deadline.
Enter the Judicial Redress Act, Stage Left
Meanwhile, the U.S. Senate began negotiating the terms of the Judicial Redress Act – a bill that would allow EU citizens to pursue a private right of action for misuse of their personal data that occurs in the U.S. While the Act falls short of providing the same level of protections EU citizens enjoy in their own countries, it does more closely align those protections, allowing some level of comfort for EU officials.
The U.S. House of Representatives passed its Judicial Redress bill in October 2015, shortly after the ECJ’s decision. The bill was expected to pass the Senate in early 2016, but an 11th hour amendment limited the right to sue to citizens of countries that permit data transfers for commercial purposes to the U.S. and do not impose personal data transfer protections that impede U.S. national security interests. That amendment stalled discussions between the U.S. and the EU days before the February deadline. Fortunately, the parties reached an agreement before Congress finalized the privacy legislation – the interested parties had to wait to see if the U.S. would follow through on its promise to provide privacy protections to EU citizens.
The Senate voted on, and passed, the amended version of the Judicial Redress Act, which allowed both houses to consolidate and pass it. The finalized bill was sent to President Obama’s desk in mid-February and he signed it into law on February 24.
The European Commission submitted the Privacy Shield text to the EU data protection authorities. The DPAs will convene in April to review and announce their position. While their positions will not be legally binding, they will be highly impactful and could set the stage for the ECJ’s inevitable review of the framework. If the ECJ finds that the agrement fails to adequately protect EU citizens and their right to privacy, then the court will likely send it back to the committee for a rewrite. The associated uncertainty prior to any review may lead to greater demand for U.S. companies to implement binding corporate rules or model contractual clauses to transfer personal data out of the EU. Additionally, many U.S. companies have already been exploring projects to create local data infrastructure in the EU, which may become necessary if Privacy Shield is never ratified.