Details of the Privacy Shield Agreement Emerge, but Uncertainty Persists

By Joseph D. McClendon and Daniel L. Farris

On Monday, U.S. and EU officials revealed the full text of the proposed EU-US Data Privacy Shield agreement. The Privacy Shield, if approved by the European Commission Article 29 Working Party, would introduce new provisions geared at EU concerns regarding mass surveillance and privacy protection of personal data collected and transferred from the EU into the United States.

U.S. and EU officials have been in talks for nearly five months to get a new agreement in place. Negotiations began in October 2015 when the European Court of Justice invalidated the EU Commission’s Safe Harbor decision. That decision put at risk the ability of nearly 4,000 United States companies to transfer data from the EU to the United States under the now invalidated Safe Harbor framework.

Some of the key provisions of Privacy Shield that may affect U.S. companies include:

  • Companies will register under the program by self-certifying every year that they meet the requirements of the Privacy Shield.
  • The U.S. Department of Commerce will monitor every registered company to ensure that each company’s publicly facing privacy notice reflects the principles outlined in the Privacy Shield program.
  • Companies that drop out of the Privacy Shield program will still be required to follow the Privacy Shield principles for as long as they use, maintain, and store the personal data they received while they were still in the program.
  • There will be a 45 day response period for companies to respond to EU consumer complaints of mishandling personal information.
  • In addition to reaching out directly to the company, EU consumers can raise their complaint with their data protection authority, which will attempt to solicit a response from the U.S. Department of Commerce or the Federal Trade Commission within 90 days.
  • Privacy Shield compliant companies must provide an alternative dispute resolution process for consumers in the event that a company does not adequately respond to a complaint of personal information mishandling. Each company participating in the Privacy Shield program will have to provide details of the alternative dispute resolution program in its privacy notice.
  • There will be sanctions enforced against participating companies that do not comply with the Privacy Shield framework. Companies may face fines and exclusion if found to be non-compliant with the program.

How Did We End Up Here?

The U.S. and EU implemented the Safe Harbor framework in July 2000 as a way for U.S. companies to self-certify their adherence to the seven principles of personal data protection set out in the 1995 EU Data Protection Directive. Safe Harbor allowed personal data of EU citizens to flow out of the EU, provided that the U.S. company receiving the personal data registered their annual certification pursuant to the Safe Harbor framework. About 4,000 companies in the United States took advantage of this program as an alternative to implementing binding corporate rules or model contractual clauses.

Safe Harbor was invalided in October 2015 after the European Court of Justice found that Facebook’s transfer of data from the EU back to the United States violated EU citizens’ privacy rights as afforded by the EU Data Protection Directive. The claim arose after Edward Snowden revealed that the NSA had broad access to data and information collected through the PRISM program.

Shortly after the invalidation of Safe Harbor, EU authorities announced they would wait until February 2016 before undertaking enforcement campaigns against Safe Harbor certified U.S. companies, but reserved their rights to enforce the Data Protection Directive in the event that “Safe Harbor 2.0” was not implemented before the February deadline.

Judicial Redress Act

Following Safe Harbor invalidation, the United States Senate began negotiating the terms of the Judicial Redress Act – a bill that would allow EU citizens to use U.S. federal agencies to seek redress for misuse of their personal data. While the Act does not give the same protections to EU citizens that they enjoy in the EU, it does provide some level of comfort for EU officials concerned with how differently the U.S. addresses data privacy.

The Judicial Redress bill was passed by the U.S. House of Representatives in October 2015, shortly after the Safe Harbor invalidation decision, and was expected to pass the Senate in early 2016. An 11th hour amendment to the bill that specified that data transfers for commercial purposes could not supersede the U.S.’s interest in national security, however, stalled data transfer agreement discussions between the U.S. and the EU days before the February safe harbor deadline. Fortunately, the U.S. and EU reached an agreement on the Privacy Shield without having the privacy legislation finalized – meaning all interested parties had to wait to see if the U.S. legislature would follow through on its promise to provide privacy protections to EU citizens.

The Senate voted on, and passed, the revised text of the Judicial Redress Act shortly thereafter, which allowed the Senate and House versions of the bill to be consolidated and passed by both houses of Congress. The finalized bill was sent to President Obama’s desk in mid-February for executive review and signature. President Obama signed the bill on February 24th.

What Happens Now?

The EU Commission submitted the text of the Privacy Shield to the EU data protection authorities. All of the DPAs will meet in April to review and provide a position on the Privacy Shield. While the DPAs’ positions will not be legally binding, they will be highly persuasive and could set the tone for how the European Court of Justice handles its inevitable review of the framework. If the European Court of Justice finds that the Privacy Shield fails to adequately protect EU citizens and their right to privacy, then the Privacy Shield will likely be sent back to the committee for a rewrite.  The uncertainty may lead to a greater demand for U.S. companies to implement binding corporate rules or model contractual clauses to transfer personal data out of the EU. Additionally, many U.S. companies have already been exploring projects to build local infrastructure in the EU, which may become necessary in the event the Privacy Shield is never ratified.

With things still in a state of flux, no one is certain about the future of transatlantic data transfer rules. If you or your company have questions or concerns about preparing for or responding to new privacy regulations, or you are interested in creating and implementing a cybersecurity plan, contact the author or a Polsinelli Privacy and Data Security team member.