As of Tuesday, July 12, The EU-US Privacy Shield has been formally adopted as the new guiding framework for data privacy protection and data transfers between the US and European Union member states.
This is welcome news for US organizations, who have suffered some major setbacks when the Safe Harbor Agreement was declared invalid by the EU Court of Justice on October 2015. The landmark ruling essentially left thousands of companies scrambling for other means to transfer data that would still keep them in compliance with Europe’s rigid privacy laws.
The EU-US Privacy Shield: Salient Points
The Privacy Shield aims to provide clear guidelines for cross-border data transfers which are a critical component to business, while offering stronger data privacy protection for European citizens.
The key principles of the new law include:
• Stronger obligations for companies. While US companies will continue to self-certify their compliance with the data protection standards , the US Dept. of Commerce is tasked to conduct regular reviews to ensure such adherence. Any organization found to be non-compliant can be subject to sanctions and/or potential removal from the list. The tighter standards will also apply for onward transfers of data from a Privacy Shield-certified company to third parties.
• Clear safeguards and transparency obligations on U.S. government access. Addressing major concerns on how US authorities can access information of European consumers, the US has given assurance that data access for purposes of law enforcement and national security will be “subject to clear limitations, safeguards and oversight mechanisms.” The Privacy Shield also protects EU consumer data from indiscriminate mass surveillance by the US government as revealed by Edward
• Effective protection of individual rights. Any citizen who has reason to believe that his or her data may have been misused or privacy rights violated can raise a complaint through any of the “several accessible and affordable dispute resolution mechanisms” provided for by the Privacy Shield.
If the issue is not resolved at the company level, an Alternate Dispute Resolution (ADR) solution can be offered for free. Consumers can also file their complaint at their national Data Protection Authorities which will coordinate accordingly with their respective National Trade Commission. Any dispute in the area of national security will be dealt by a US privacy ombudsman who will be independent of the federal authorities.
• Annual joint review mechanism. The European Commision and the US Department of Commerce will jointly review the Privacy Shield on an annual basis to ensure that standards are upheld, including the commitments given on data access for law enforcement and national security.
Leading tech organizations including Google and Microsoft have stated that they are now in the process of implementing the requirements for Privacy Shield certification. Companies who consider transatlantic data transfers vital to their business can sign up starting August 1.