Safe Harbor Update: Privacy Shield Agreement

Ever since last year’s nullification of the US-EU Safe Harbor agreement, both sides of the Atlantic have been eagerly awaiting a new framework; without a new agreement, business on both sides would have been nearly totally disrupted! It looked like on Tuesday we were going to have an utter collapse with both the EU Commission and US Department of Commerce giving very loud warnings, but at the last second, a new framework was announced: the EU-U.S. Privacy Shield.

On Tuesday, the U.S. Department of Commerce, as well as the European Union,  announced the formation of the new Privacy Shield agreement that will allow continued data exchanges.

So today, without further delay, – what’s in this new agreement?! The fact sheet spells out the over-arching protections for privacy as noted below:

The EU-U.S. Privacy Shield significantly improves commercial oversight and enhances privacy protections.

• The Privacy Shield strengthens cooperation between the Federal Trade Commission and EU Data Protection Authorities, providing independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield.
• EU individuals will have access to multiple avenues to resolve concerns, including through alternative dispute resolution, now at no cost to the individual.
• The Department of Commerce will step in directly and use best efforts to resolve referred complaints, including by dedicating a special team with significant new resources to supervise compliance with the Privacy Shield.
• The Privacy Shield adds an important new avenue to supplement the others.  Companies now will commit to participate in arbitration as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies.
• The Privacy Shield embodies a renewed commitment to privacy by the U.S. and the EU, and to ensure it remains a living framework subject to active supervision, the Department of Commerce, the FTC, and EU DPAs will hold annual review meetings to discuss the functioning of and compliance with the Privacy Shield. 
• The Privacy Shield includes significant improvements to improve transparency regarding personal data use, strengthen the protections participants provide, and inform EU individuals more comprehensively about their rights under the program.
• The Privacy Shield includes new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies’ agents to improve accountability and ensure a continuity of protection.

The EU-U.S. Privacy Shield demonstrates the U.S. commitments to limitations and safeguards on national security.

• Since 2013, President Obama, including through Presidential Policy Directive 28, has directed several measures to enhance privacy protections for U.S. signals intelligence activities, including protections that apply regardless of nationality; enhanced executive oversight of intelligence activities; and implementation of new legislation that enhances judicial review of certain intelligence collection activities, increases transparency, and further ensures that collection of information for intelligence purposes is precisely focused and targeted.
• In connection with finalization of the new EU-U.S. Privacy Shield, the U.S. Intelligence Community has described in writing for the European Commission the multiple layers of constitutional, statutory, and policy safeguards that apply to its operations, with active oversight provided by all three branches of the U.S. Government.
• The Privacy Shield provides, for the first time, a specific channel for EU individuals to raise questions regarding signals intelligence activities relating to the Privacy Shield.  As a part of this process, the United States is making the commitment to respond to appropriate requests regarding these matters, consistent with our national security obligations.

Now before everyone cheers and pats each other on the backs, it’s important to understand that we have a “tentative” agreement in place right now. This is not the final and approved version! The Article 29 Working Party still needs to approve the agreement, though it is expected to make it through the approval process in good shape. What is concerning is that there are already groups and individuals that have indicated that the protections of the new Privacy Shield agreement will be challenged in the EU courts as soon as it goes into effect. There is no consensus as to how these suits will fair, but there is a general feeling that the EU courts may again nullify portions or all of the new framework, which would start the whole of the process again.

Since we have a risk- the risk of another framework failure- we, as good IT and Compliance folks, need to address it! The second part of this blog will cover some steps to take to mitigate and lessen the impact of another framework nullification. Steps  that don’t crush your organizations ability to deliver –  or break the bank.