Last year, the death of the US-EU Safe Harbor Arrangement sent waves of shock and despair to the approximately 4500 companies that used this mechanism to transfer personal data from the US to the EU. But a new day has dawned.
Under the EU Data Protection Directive (and also the new General Data Protection Act — GDPR), data can only be transferred to countries with an “adequate level of protection” of personal data. The EU has thus far not deemed the US to provide an adequate level of protection, so Safe Harbor was created as a work around. Companies could voluntarily agree to abide by a set of privacy principles enforced by the FTC, and they would be permitted to transfer personal data from EU citizens to the US.
Safe Harbor was in place from 2000 to 2015, when it was invalidated in the case of Schrems v. Data Protection Commissioner. The main rationale of Schrems to sink Safe Harbor was that the US had inadequate restrictions on government surveillance of personal data.
Today, the European Commission and the US have reached an agreement on a new Safe Harbor — called EU-US Privacy Shield. First, to my chagrin, they named it Privacy Shield rather than Safe Harbor 2.0, and I had a nice set of harbor illustrations for my privacy training that now will need to be replaced. According to the European Commission press release, the new EU-US Privacy Shield will do provide for the following:
(1) There will be “stronger obligations on companies in the U.S. to protect the personal data of Europeans.”
(2) The EU-US Privacy Shield will provide for “stronger monitoring and enforcement” by the Department of Commerce and FTC.
(3) There will be “commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access.” The press release notes that the US has “ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.”
(5) There will be “an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.”
(4) Europeans will have new abilities to raise complaints for redress: “Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.”
These are the details about the new EU-US Privacy Shield that we have thus far from the press release. I now need to get working on some new imagery.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.