PH Privacy
Too Late, But Will It Prove Too Little? U.S. and EU Eke Out Last-Minute Data Deal
By Kathleen Sheridan
Two days after the
Those latter concerns – championed by Austrian graduate student Max Schrems – resulted in the
That speculation ended yesterday in the form of the EU-U.S. Privacy Shield. The new framework promises to:
Impose strong obligations on companies that handle personal data from EU citizens;
Demand robust enforcement by U.S. authorities against companies that fail to satisfy their obligations;
Impose clear limitations, safeguards and oversight mechanisms to limit U.S. governmental access to data in the name of law enforcement and national security; and
Grant redress avenues for EU citizens who believe that their personal data has been misused under the framework.
To effect these promises, the EU-U.S. Privacy Shield will require U.S. companies importing personal data from the EU to publish their privacy commitments. The U.S. Department of Commerce will monitor to ensure that privacy policies are published, and the Federal Trade Commission will prosecute violations by U.S. companies of their own policies. Additionally, U.S. companies that handle European human resources data must commit to abide by the decisions of European Data Protection Agencies (DPAs).
Aggrieved EU citizens will be able raise concerns to U.S. companies individually or through their own DPAs, which will then refer complaints to U.S. authorities. Free alternative dispute resolution will also be available. The U.S. will also create a new Ombudsperson to address concerns regarding national security-specific surveillance raised by EU citizens.
As part of the deal, the U.S. government has affirmed that it does not engage in indiscriminate mass surveillance activities and provided written assurances to the EU that governmental access to personal data in the name of national security will be subject to clear limitations, safeguards and oversight mechanisms. Little further detail was provided, but the U.S. has promised that access will be sought “only to the extent necessary and proportionate.”
The U.S. has also committed to submit to an annual joint review to monitor the functioning of the Privacy Shield. These reviews – conducted by the European Commission and the U.S. Department of Commerce – will specifically include the issue of national security access and will include national intelligence experts from the U.S. government and from European DPAs.
Despite the announcement by U.S. and EU authorities on the Privacy Shield, much work remains to be done. The EU College of Commissioners must draft an adequacy decision, which will then be submitted to the Article 29 Working Party for advice and comment. A committee of EU Member State representatives will also consult on the draft adequacy decision, after which time it will be adopted. During this period, U.S. authorities will prepare to implement its obligations related to the framework generally, monitoring mechanisms, and the Ombudsperson position.
To learn more about the impact of the decision on your company and about the approaches being taken by others, please contact any member of our
PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.