Transatlantic exchanges of personal data for commercial purposes were, in the past, overseen by the International Safe Harbor Privacy Principles. In October 2015, the European Court of Justice declared the previous Safe Harbour framework invalid. In February of 2016, the European Commission and US Government reached a new agreement, the EU-U.S. Privacy Shield. Despite criticism that the Privacy Shield is “not robust enough,” the EU Commission approved a final version on July 12, 2016, and its implementation began with the US Department of Commerce on August 1, 2016.
The creation and ultimate effectiveness of the Privacy Shield is a critical element to the future of commercial relationships between the United States and EU. Essentially, it sets the guidelines for the handling, transmission and possession of EU citizens’ personal data by U.S. companies. The brief issued by the European Commission notes that the new Privacy Shield “imposes stronger obligations on U.S. companies to protect Europeans’ personal data,” including annual certification, greater transparency, oversight mechanisms to ensure companies abide by the rules as well as sanctions or exclusion of companies who do not comply.
In a new article for the New York Law Journal, I talk about the Privacy Shield’s Growing Pains and how an understanding of the progression to the Privacy Shield can help organizations anticipate how the new Privacy Shield will be enforced. In the article, I talk about:
Although the final version of the Privacy Shield has gone into effect, it is still a work in progress. For example, the Shield requires the establishment within the US Department of State of an independent Ombudsman mechanism to handle complaints from EU citizens. It is also likely that the annual review of the Privacy Shield will include changes, so it’s key that organizations remain vigilant to future compliance requirements. Read the full article here.