New US-EU ‘Privacy Shield’ Will Impose Heightened Compliance Obligations on US Companies
By Dov H. Scherzer and Daniel L. Farris
The European Commission and United States Department of Commerce agreed to a new transatlantic data transfer pact on Tuesday, two days after the January 31st deadline imposed by European data protection authorities. The deal comes four months after the European Court of Justice invalidated the Safe Harbor Agreement in Schrems v. Data Protection Commissioner.
Details of the new deal, which is being called the EU-US Privacy Shield, are not yet fully public. At a press conference in France, however, EU Commissioner Vera Jourova indicated that the new framework will impose stronger obligations on both US federal agencies and US companies. Technology companies in particular may face the strongest scrutiny.
Based on what is known, the Privacy Shield will require stronger monitoring of corporate privacy practices by the Department of Commerce and Federal Trade Commission. European citizens will have several mechanisms by which they may raise complaints about the privacy practices and treatment of personal data by US companies, both in Europe and the United States. The Privacy Shield will also be subject to an annual review by US and EU representatives, meaning the nature and scope of corporate obligations may change regularly.
Unlike the old self-certification regime of the invalidated Safe Harbor Agreement, US companies should expect not only heightened privacy standards under the Privacy Shield, but also greater obligations to affirmatively demonstrate compliance. The EU Commission’s statements imply that US companies will have to agree to more robust European-style privacy standards, publish their commitments to such standards in privacy policies and will be subject to FTC enforcement actions on deceptive trade practice grounds for the failure to comply with posted policies.
The Privacy Shield deal also calls for the creation of an independent privacy ombudsman within the US Department of State. This independent ombudsman will respond to complaints related to government surveillance and government access to data about EU citizens stored in the US. This last point is significant, as it may save Binding Corporate Rules and model contract clauses as alternatives for US companies seeking to transfer data from Europe. The availability of alternatives, however, is far from clear.
In fact, the Article 29 Working Party has not yet approved of the Privacy Shield, and does not expect to do so until the end of March. While the Working Party has reiterated that Binding Corporate Rules and model contract clauses are still valid, it has left the question of enforcement of the existing data protection regulations to individual member state Data Protection Authorities. This is troubling for many US companies, as some countries – Germany in particular – have deemed these data transfer alternatives invalid.
While an agreement between the US and EU on a new transatlantic data transfer framework is positive, many questions remain about the Privacy Shield. With the potential for Member State enforcement, short-term risk may be more acute. If US companies can be certain of anything, it is that heightened privacy obligations are coming. If you have not started working towards EU-style compliance yet, you should consider using the General Data Protection Regulation as a guide to improve your policies.
For assistance in understanding how the Privacy Shield may affect your company, auditing privacy and data security compliance programs, drafting model agreements, or preparing Binding Corporate Rules, please contact the author or a Polsinelli Privacy and Data Security team member.