A stricter regime for profiling07 June 2016
Breaking: EU-U.S. Privacy Shield to Replace Safe Harbor
- First, Privacy Shield will create several possible mechanisms for consumer protection and redress. Organizations using the Privacy Shield will be expected to resolve any issues directly with EU consumers, and will be faced with deadlines for responding to complaints. Alternatively, EU consumers may reach out to the appropriate data protection authority, which will then work with the FTC to ensure that complaints by EU citizens are investigated and resolved within a reasonable time frame. As a last resort, parties may engage in an alternative dispute resolution process. Finally, with respect to complaints relating to access by U.S. public officials, Privacy Shield will create an ombudsperson in the U.S. State Department to review national security complaints referred by European Data Protection Authorities.
- In the area of national security and government access to data, in connection with the Privacy Shield, the United States has provided the EU written assurances that access to information by public authorities will be subject to clear limitations, safeguards, and oversight mechanisms. In a press conference announcing the agreement, Věra Jourová, EU Commissioner in charge of Justice, Consumers and Gender Equality, highlighted these “binding assurances” given by the U.S. regarding “clear limitations” on national security access, and noted that the U.S. commitments would be subject to an annual joint review by the European Commission and the DOC, as well as national intelligence experts from the European Data Protection Authorities.
- On enforcement monitoring generally, the European Commission and Department of State will engage in a joint annual review to monitor the functioning of the agreement. The annual review process will facilitate opportunities for the EU and U.S. to adjust the agreement in response to changing political and technical developments. According to Jourová, the Department of Commerce and FTC also have committed to performing more frequent compliance reviews of companies using the Privacy Shield, and to implement sanctions against those failing to meet their obligations.
Jourová separately noted what she believed to be the three main achievements of Privacy Shield in strengthening protection for EU citizens’ data:
- Greater safeguards and transparency obligations regarding U.S. government access to data
- Redress mechanism for EU citizens in the area of national security
- Stronger conditions for companies handling personal data of EU citizens
At the press conference announcing the agreement, Commissioner Jourová expressed her belief that the Privacy Shield agreement would be implemented within the next three months. According to Jourová, the Commissioner will work to draft an adequacy provision for adoption in the next few weeks and, in parallel, the U.S. Department of Commerce will work to implement the agreed-upon mechanisms. Both Commissioner Jourová and Vice-President Ansip expressed their belief that the new Privacy Shield solution would be able to withstand future challenges but that, as the agreement provides for a "living" scheme, the practical work behind the arrangement was just beginning. Once in place, the Privacy Shield is expected to be a viable mechanism to rely on for the purposes of transatlantic data flows. But, in the meantime, it is still necessary to be in a position to legitimize such data flows through alternative legally valid means.
We will provide additional details and analysis on the EU-U.S. Privacy Shield as more information becomes available.
Julian Flamant in our Washington, D.C. office contributed to this entry.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016