On July 12, 2016, the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, and U.S. Secretary of Commerce Penny Pritzker announced the formal adoption of the EU-U.S. Privacy Shield (the “Privacy Shield”) framework, composed of an Adequacy Decision and accompanying Annexes.
The Privacy Shield is designed to protect the fundamental rights of individuals whose personal data is transferred to the U.S. and ensure legal certainty for businesses with respect to transatlantic transfers of personal data.
The European Commission outlines the following principles of the new framework:
- Strong obligations on companies handling personal data. The Privacy Shield includes stricter oversight mechanisms to help ensure companies abide by their commitments, including regular monitoring by the U.S. Department of Commerce. The Privacy Shield also includes stricter conditions for onward transfers of personal data to third parties by participating companies.
- Clear safeguards and transparency obligations on U.S. government access. The European Commission has obtained strong written commitments and assurance from the U.S. government that access to personal data by government authorities for law enforcement, national security and other public interest purposes will be subject to clear conditions, limitations and oversight mechanisms, preventing generalized access and bulk collection of personal data. In addition, a new redress mechanism has been established for EU individuals in the area of national security, through an Ombudsperson within the Department of State. The Ombudsperson will act independently from the U.S. Intelligence Services.
- Effective protection of individual rights. Individuals who consider that their personal data has been misused under the Privacy Shield framework will benefit from several accessible and affordable dispute resolution mechanisms. These mechanisms include (1) the right for individuals to lodge a complaint directly with the company, (2) free of charge alternative dispute resolution solutions, (3) the right to lodge a complaint with national data protection authorities (the “DPAs”), working in collaboration with the U.S. Federal Trade Commission, and (4) an arbitration mechanism as a last resort.
- Annual joint review mechanism. The European Commission and the U.S. Department of Commerce will annually monitor the functioning of the Privacy Shield, together with national security experts from the U.S. and European DPAs. The review also will cover the commitments and assurance regarding access to data for law enforcement and national security purposes.
The Adequacy Decision on the protection provided by the Privacy Shield will be notified to the EU Member States today, on July 12, 2016, and will immediately enter into force. In the U.S., the Privacy Shield framework will be published in the Federal Register. Companies will be able to certify with the U.S. Department of Commerce starting August 1, 2016.
The European Commission also will publish a short guide for individuals explaining the available remedies in case an individual thinks that his or her personal data has been misused.
The Article 29 Working Party is currently analyzing the Adequacy Decision in view of its previous Opinion on the Privacy Shield. It will meet on July 25, 2016, to finalize its position on that decision.
Read the U.S. Secretary of Commerce’s remarks from the EU-U.S. Privacy Shield Framework Press Conference.