What is the EU-US Privacy Shield?
The EU–US Privacy Shield is a framework, agreed by the EU and the US, to facilitate the cross-border flow of EU citizens’ data.
The EU Commission formally adopted the framework on July 12, 2016. Companies based in the United States will be able to certify their compliance with the framework from August 1, 2016.
EU data protection laws place restrictions on the transfer of personal data to countries outside the European Economic Area (EEA), unless those countries have taken adequate data protection measures as approved by the EU. EU policymakers consider the data protection laws of the United States inadequate.
The Privacy Shield delivers a framework for US organizations requiring access to the data of European citizens. In addition, according to the EU Commission, it presents "legal clarity" for organizations wishing to undertake transatlantic data transfers.
The Privacy Shield will require US companies to implement stricter measures to protect the personal data of Europeans.
The Privacy Shield
The Privacy Shield has replaced the Safe Harbor agreement, which was invalidated after the European Court of Justice found that it did not offer adequate protection for data transfers from Europe to the US.
The Privacy Shield was developed in response to this ruling to address EU concerns over US government surveillance of personal data. The Privacy Shield provides guidelines for companies handling data and includes new US government assurances about how EU citizens’ data may be used.
The Privacy Shield will require US companies to self-certify that they meet higher data protection standards.
Monitoring and enforcement
The Privacy Shield will require more stringent monitoring and enforcement by the US Department of Commerce and the Federal Trade Commission (FTC), through increased cooperation with European data protection authorities.
Under the agreement, the US Department of Commerce has been charged with conducting “regular reviews” to ensure compliance.
European citizens who feel that their privacy rights have been violated can file complaints with their national data protection agencies. These agencies are expected to forward these complaints to the Department of Commerce or the Federal Trade Commission in the US.
Data privacy violation complaints can also be handled via an “arbitration mechanism” in certain instances.
In addition, disputes about national security will be dealt with by an independent ombudsperson in the US.
Clear limitations, safeguards and oversight mechanisms
The US has assured EU member states that there will be “clear limitations, safeguards and oversight mechanisms” controlling how law enforcement and federal agencies access European citizen data.
The US has undertaken to collect bulk data only “under specific preconditions” and stated that data collection will be as “targeted and focused as possible,” according to a statement released by the EU Commission.
The EU–US Privacy Shield is based on the following four principles:
- Strong obligations on companies handling data
- Clear safeguards and transparency obligations on US Government access
- Effective protection of individual rights
- Annual joint review mechanism