From Safe Harbor to Privacy Shield: The New EU–U.S. Data Transfer Framework

From Safe Harbor to Privacy Shield: The New EU–U.S. Data Transfer Framework

Multinational companies must comply with EU data protection laws when dealing with European citizens’ personal data.  In the digital era, this requirement becomes more sensitive and task-intensive.  Essentially, companies in the European Economic Area (EEA) “are prohibited from sharing personal data with affiliates, vendors, customers and anyone else outside the EEA, unless an adequate level of data protection in the recipient jurisdiction is assured or an exception or derogation applies.”^[1] As a result, companies dealing with Europe must adhere to EU-authorized data transfer mechanisms to be deemed “adequate.”^[2]

 

The new EU-U.S. Privacy Shield Framework, developed jointly by the U.S. Department of Commerce and the European Commission, covers guidelines to follow when transferring personal data between Europe and the United States.^[3] The program intends to ensure the privacy of users’ data as it moves across the two continents while providing a simple and cost effective framework for U.S. companies to comply with EU laws.^[4] The European Commission had previously established that companies who adhered to the U.S. Department of Commerce’s Safe Harbor Program, would be deemed adequate for the transfer of data.^[5] However, last year the European Court of Justice ruled the Safe Harbor Agreement invalid.^[6] After Snowden revealed U.S. practices regarding mass surveillance, Europe was concerned about its citizens’ data and pushed the Privacy Shield to further protect it.^[7]

 

Experts contend that the Privacy Shield Framework is more elaborate and rigid than the Safe Harbor Program.^[8]. Unlike the Safe Harbor, the Privacy Shield allows for annual review of the framework, “[has] requirements regarding more detailed privacy notices, [a] more robust onward transfer contracts and access to such contracts by the Commerce Department, and data minimization, data retention, [and] independent recourse mechanisms at no cost to the individual, as well as publication requirements relating to non-compliance.”[footnote]Id.[/mfn]

 

To follow the Privacy Shield Framework, companies must self-certify to the Department of Commerce and include the company’s commitment to the Privacy Shield in their privacy policies.^[9] Among the myriad of requirements, companies must also link out to the Privacy Shield website, must provide a site for users to complain, must communicate to users their rights to access the data collected about them, must respond to users’ complaints within forty-five days, must maintain the integrity of the data, and must only collect only the personal information required to carry out the company’s business.^[10] Furthermore, if a company uses third-party vendors to process the data from the EU, the company must review that the vendor contracts provide that the data transferred will only be used for limited and specified purposes, and that the data collected will be provided at least the same protection required by the Privacy Shield.^[11]

 

Although following “the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.”^[12]

 

As of now, major U.S. companies like Google, Microsoft, and Oracle have signed up with the U.S. Department of Commerce to adhere to the Privacy Shield Framework.^[13]