As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.

A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor.  In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.

  1. Tougher and Binding Remedies and Enforcement

In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days.  If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body.  The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).

For signatories that utilize the DPA panel, the Principles state that the panel will provide advice as quickly as possible, but as a general rule within 60 days.  DPA panel remedies, as well as remedies from other dispute resolution bodies, can include “publicity for findings of non-compliance,” compensation “for losses incurred as a result of non-compliance,” or the suspension or removal of a Privacy Shield seal.  Signatories must comply with DPA panel advice within 25 days, and in the event of non-compliance, the DPA panel can refer the matter to the FTC or another relevant U.S. federal government agency for enforcement action or inform Commerce so that the organization is removed from the Privacy Shield List.

For claims that remain unresolved after the dispute resolution process, a consumer must raise the issue through his or her DPA to allow Commerce an opportunity to resolve it.  If this method also fails, a consumer may opt for binding arbitration.  Commerce will maintain a “Privacy Shield Panel,” which will consist of a pool of at least 20 arbitrators, none of whom may be affiliated with a Privacy Shield signatory.  The arbitration award can only consist of “individual-specific, non-monetary equitable relief” necessary to remedy the alleged Privacy Shield violation at issue, such as access, correction, deletion, or return of the individual’s data.  Arbitration proceedings should reach a decision within 90 days, and decisions will be enforceable under the Federal Arbitration Act.  Decisions made under that Act can, in certain limited circumstances, be challenged in federal courts.

  1. More Detailed and Specific Onward Transfer Restrictions

The Privacy Shield also expands the Safe Harbor onward transfer requirements – that is, its requirements for Shield signatories to transfer personal information (“PI”) to other third parties.  Onward transfers will require a contract with third-party data controllers that “provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles.”  For transfers to third-party agents, the organization must (1) transfer data only for “limited and specified purposes”; (2) ascertain that the agent is obligated to provide at least the same protections as required by the Principles; (3) take reasonable steps to ensure processing consistent with the Principles; (4) stop or reasonably remediate unauthorized processing upon notice; and (5) provide a “summary or a representative copy” of the relevant contractual provisions to Commerce upon request.

Unlike the Safe Harbor, Privacy Shield organizations are liable for violations by onward transfer recipients acting as agents that process such information in a manner inconsistent with the Privacy Shield, “unless the [signatory] organization proves that it is not responsible for the event giving rise to the damage.”

  1. Annual Certification: Verified By Commerce

Unlike the Safe Harbor, which only required annual “reaffirmation” of compliance, organizations that self-certify their compliance with the Privacy Shield’s requirements to Commerce must re-certify their compliance on an annual basis, and Commerce will closely verify certifications and re-certifications for compliance and “that the organizations have in fact registered with the relevant [dispute] mechanism indicated in their self-certification submissions, where such registration is required.”  Commerce can also remove organizations that “persistently” violate the Privacy Shield requirements from the list of Privacy Shield signatories.  Any organization that decides to cease compliance with the Privacy Shield, or is removed by Commerce, must in principle return or delete all personal information received under the Privacy Shield.

In addition to the annual re-certification requirement, the Privacy Shield Framework itself will be subject to an annual review by the European Commission and Commerce, as opposed to the Safe Harbor reviews that occurred every three years.  This annual review opens up the possibility that the Privacy Shield Framework could change on a regular basis, depending upon the political pressures at play.

  1. Expanded Notice & Choice Obligations

The Privacy Shield Principles expand the requirements for self-certified organizations to provide notice and choice regarding PI.  The Safe Harbor only required notice about the purposes of data collection and use, contact information of the self-certified organization for inquiries or complaints, types of third-party data recipients, and choices available to limit use and disclosure.  Under the Privacy Shield, certified organizations must additionally inform individuals about, among other things: (1) the purposes for which the organization discloses PI to third parties; (2) the right of individuals to access their PI; (3) the ability to invoke binding arbitration; and (4) potential liability in cases of onward transfers to third parties.

The Safe Harbor required opt-outs prior to disclosing PI to third parties, or used for a purpose “incompatible” with the purpose for which it was originally collected, and opt-ins with respect to sensitive information.  Under the Privacy Shield, the opt-out applies to use of PI for a purpose that is “materially different” from the purpose for which it was originally collected (or subsequently authorized).

  1. New Restrictions on National Security Access

A separate letter from the Department of State describes how the Department of State’s “privacy ombudsperson”—Under Secretary of State Catherine A. Novelli—will coordinate responses to requests from EU citizens, channeled through EU member states, for information on U.S. government access to their data for national security purposes.  Importantly, these requests can cover not only data that is transmitted under the Privacy Shield, but also data transmitted pursuant to standard contractual clauses, binding corporate rules, derogations, and possible future derogations.

The ombudsperson will work with other U.S. government agencies to ensure that requests are processed and resolved, and may also refer matters to the Privacy and Civil Liberties Oversight Board for its consideration.  However, the response from the U.S. government will be limited to a statement that the appropriate procedures (under the Privacy Shield or otherwise) were followed, or that any non-compliance has been remedied.

The mandatory annual review process will be an important check to ensure that these commitments are upheld.  Of course, the Privacy Shield also should be considered in light of the post-Edward Snowden changes made in U.S. law and policy, which the Schrems court could not consider because its procedures locked it in 2013.  Those changes include the Judicial Redress Act, signed by President Obama last week; the USA Freedom Act, which ended bulk metadata surveillance; and the Presidential Policy Directive on signals intelligence issued in 2014.

Next Steps

As our London colleague Dan Cooper has discussed previously here, the EU must now formally adopt the Privacy Shield Framework through the “comitology” procedure.  This procedure, which will involve a non-binding opinion by the Article 29 Working Party (expected at the next plenary meeting on April 12 and 13), a binding opinion by a qualified majority of the Article 31 Committee, and the formal adoption of the adequacy decision by the EU College of Commissioners, is expected to last until early summer.  The Article 29 Working Party issued a press release welcoming the publication of the draft adequacy decision.  However, both the European Parliament and the Council may request that the European Commission amend or withdraw the adequacy decision at any time before its formal adoption.  Once the Framework is approved, Commerce has stated that it will be delivered to the Federal Register for publication within 30 days.

Tags: Article 29 Working Party, Data Protection, Data Protection Directive, Data Security, Department of Commerce, Department of State, EU-U.S. Privacy Shield, EU-U.S. Safe Harbor Agreement, Europe, European Commission, European Union (EU), Federal Trade Commission, FTC
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less