After Safe Harbor, the international data transfer law used by the U.S. and the European Union, was invalidated in October 2015, the Department of Commerce and the EU Commission worked to draft a new agreement that gave Europeans more rights about their personal information in the U.S. On July 12, the EU-US Privacy Shield law was passed.
Why did this agreement come about in the first place? When the EU Court of Justice ruled Safe Harbor invalid, it had two key concerns: Excessive government access to European data (thanks to the Edward Snowden leaks of 2013), and a lack of process for European citizens to address their concerns. Privacy Shield aims to redress those concerns.
Are there a lot of differences between the agreements? Not really. The differences between Safe Harbor and Privacy Shield are more in the methods of addressing data transfers than changing the nature of them. Safe Harbor had seven principles: Notice, Choice, Onward Transfers (transfers to third parties), Access, Security, Data Integrity, and Enforcement. Privacy Shield has those same principles, but focuses on more individual rights for EU citizens, stricter requirements for U.S. businesses and restricting U.S. government access to personal data.
One major change from Safe Harbor is the transfer of data to third parties, or the Onward Transfers principle. In the old agreement, an organization had to provide notice and choice to consumers before sharing personal information with a third party, but that was not required if the third party was “acting as an agent to perform tasks on behalf of and under the instructions of third organization.”
With the new agreement, that rule has changed dramatically. Companies who wish to transfer data to third parties now must also comply with the principle of purpose limitation and ensure that the third party provides the same level of Privacy Shield protection as the original company. Organizations must also provide a copy of relevant portions of its privacy agreement with the third party to the Department of Commerce upon request. However, even when those requirements have been met, an organization remains liable if the third party does not process the information in a manner consistent with Privacy Shield, unless it proves it is not responsible for any event that causes damage to the personal information.
What else has changed?
Other key differences include:
- More options to file a claim: Privacy Shield has multiple avenues for EU citizens to file concerns or complaints regarding data privacy, including the offending organization itself or the European Data Protection Authorities, as well as an independent U.S. ombudsman who will handle complaints from EU citizens. Finally, there is binding arbitration by the Privacy Shield Panel. This last option is for those who have exhausted all others.
- More monitoring of compliant companies: Both the U.S. and EU have several organizations who will actively monitor compliance levels of organizations more than was done under Safe Harbor. The U.S. organizations that will act as watchdogs include the Department of Commerce, the Department of Transportation and the FTC. The Dept. of Commerce will have an expanded role with the new legislation, including holding periodic compliance reviews with organizations to determine any issues that warrant further action. The department will also act as a liaison with the European Data Protection Authorities.
- Stricter reporting obligations: Even if an organization withdraws from the Privacy Shield agreement, they will still be responsible for any data obtained while they were under the Privacy Shield. With Safe Harbor, an organization had to annually prove compliance. But with Privacy Shield, an organization is now required to maintain records about its privacy program and provide them to regulators upon request. And similar to Safe Harbor, organizations that leave the Privacy Shield must maintain any information they keep at the same protection level as when they were members of Privacy Shield. However, Privacy Shield adds the extra requirement that organizations must annually prove to the Department of Commerce that they are protecting that information in accordance with the law. If they are found to be in breach of the agreement, they must destroy or delete all affected data, or provide enough protection by another authorized means, such as EU Standard Contractual Clauses. If an organization no longer needs data obtained under Privacy Shield, it must be deleted.
Overall, the Privacy Shield seeks to address concerns voiced by Europeans over how much of their data was being sent to the U.S. and the lack of process to file any complaints that Safe Harbor did not provide. Despite the framework being signed July 12, many critics of the new policy remain vocal and question whether it can stand up to a legal challenge. Companies may self-certify adherence to the new principles beginning Aug. 1, and the full list of certified companies is available on the Privacy Shield website.