On Tuesday, the U.S. Department of Commerce, as well as the European Union, announced the formation of the new Privacy Shield agreement that will allow continued data exchanges.
So today, without further delay, – what’s in this new agreement?! The fact sheet spells out the over-arching protections for privacy as noted below:
The EU-U.S. Privacy Shield significantly improves commercial oversight and enhances privacy protections.
- The Privacy Shield strengthens cooperation between the Federal Trade Commission and EU Data Protection Authorities, providing independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield.
- EU individuals will have access to multiple avenues to resolve concerns, including through alternative dispute resolution, now at no cost to the individual.
- The Department of Commerce will step in directly and use best efforts to resolve referred complaints, including by dedicating a special team with significant new resources to supervise compliance with the Privacy Shield.
- The Privacy Shield adds an important new avenue to supplement the others. Companies now will commit to participate in arbitration as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies.
- The Privacy Shield embodies a renewed commitment to privacy by the U.S. and the EU, and to ensure it remains a living framework subject to active supervision, the Department of Commerce, the FTC, and EU DPAs will hold annual review meetings to discuss the functioning of and compliance with the Privacy Shield.
- The Privacy Shield includes significant improvements to improve transparency regarding personal data use, strengthen the protections participants provide, and inform EU individuals more comprehensively about their rights under the program.
- The Privacy Shield includes new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies’ agents to improve accountability and ensure a continuity of protection.
- Since 2013, President Obama, including through Presidential Policy Directive 28, has directed several measures to enhance privacy protections for U.S. signals intelligence activities, including protections that apply regardless of nationality; enhanced executive oversight of intelligence activities; and implementation of new legislation that enhances judicial review of certain intelligence collection activities, increases transparency, and further ensures that collection of information for intelligence purposes is precisely focused and targeted.
- In connection with finalization of the new EU-U.S. Privacy Shield, the U.S. Intelligence Community has described in writing for the European Commission the multiple layers of constitutional, statutory, and policy safeguards that apply to its operations, with active oversight provided by all three branches of the U.S. Government.
- The Privacy Shield provides, for the first time, a specific channel for EU individuals to raise questions regarding signals intelligence activities relating to the Privacy Shield. As a part of this process, the United States is making the commitment to respond to appropriate requests regarding these matters, consistent with our national security obligations.
Since we have a risk- the risk of another framework failure- we, as good IT and Compliance folks, need to address it! The second part of this blog will cover some steps to take to mitigate and lessen the impact of another framework nullification. Steps that don’t crush your organizations ability to deliver – or break the bank.