Nearly 2,000 organizations are now listed as self-certified to the EU-U.S. Privacy Shield on the Department of Commerce’s (“Commerce”) Privacy Shield website.  Given current developments on both sides of the Atlantic, there are likely to be significant Privacy Shield developments in the coming months.

EU Justice Commissioner Věra Jourová recently concluded her visit to the U.S. to meet with Trump Administration officials and others regarding the status of the Privacy Shield.  During her visit, Commissioner Jourová spoke about the importance of the Privacy Shield as a framework with “enormous potential to strengthen the transatlantic economy and reaffirm our shared values.”  She also met with Commerce Secretary Wilbur Ross to discuss the Privacy Shield, and announced that the first annual joint review will occur in September, which she indicated would be “an important milestone where we need to check that everything is in place and working well.”
Continue Reading Privacy Shield Approaches 2,000 Participants; Review Scheduled for September

On February 9, 2017, six Democratic senators wrote to DHS Secretary John Kelly about their concerns over a Trump executive order that would remove Privacy Act protections for non-U.S. citizens and lawful permanent residents.

Senators Ed Markey (MA), Ron Wyden (OR), Jeff Merkley (OR), Al Franken (MN), Chris Coons (DE), and Mazie Hirono (HI) wrote that Section 14 of the order would make it easier for government agencies to share non-citizens’ personal information with Congress and the public.
Continue Reading Senators Seek Answers from DHS on Privacy Aspects of Trump Order, Including Privacy Shield

On January 25, 2017, President Trump signed a new Executive Order on Enhancing Public Safety in the Interior of the U.S.  Among other elements, the Executive Order directs U.S. government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” but only if doing so is “consistent with applicable law.”

This prompted certain commentators, such as Member of the European Parliament Jan-Philipp Albrecht, to question whether the Executive Order would have an impact on the robustness of the EU-U.S. Privacy Shield data transfer framework
Continue Reading European Commission Dismisses Privacy Shield Concerns Over Trump Executive Order

In an interview with Politico (link requires a subscription), EU Justice Commissioner Věra Jourová, one of the principal architects of the EU-U.S. Privacy Shield, indicated that she plans to visit the U.S. once the Trump Administration is in place to assess the state of the new administration’s commitment to the Privacy Shield.  In the interview, Jourová indicated that she would seek to ensure that the U.S. maintains a “culture of privacy” under the new administration, and that the U.S. government would continue to adhere to its commitments with regard to U.S. law enforcement and surveillance activities that were included within the Privacy Shield framework.

The Privacy Shield was based in part on a series of letters published by various Obama Administration officials relating to oversight and enforcement of the Privacy Shield Principles by the U.S. government.  These letters were included as annexes to the Commission Implementing Decision that forms the legal basis for the Privacy Shield in the EU, and are posted to the U.S. Department of Commerce’s Privacy Shield website.  They include a letter from the Department of State to Commissioner Jourová describing the new Privacy Shield Ombudsperson designated to field inquiries from the EU regarding U.S. signals intelligence practices, and letters from the Office of the Director of National Intelligence (Letter 1; Letter 2) and the Department of Justice describing safeguards and limitations applicable to U.S. national security authorities and law enforcement authorities, respectively.
Continue Reading EU Commissioner Plans to Assess U.S. Privacy Shield Commitments

On September 16, 2016, Digital Rights Ireland (“DRI”), a digital rights advocacy group, lodged an action with the EU General Court for annulment of the European Commission’s Decision on the EU-U.S. Privacy Shield arrangement.  While the existence of the application has only recently become public knowledge, it was widely-expected that the Privacy Shield would face a legal challenge.  It is also unsurprising that DRI have brought the action (given its objections to the Privacy Shield before it was agreed and its intervention in the Safe Harbor case).

Background

The Privacy Shield was agreed earlier this year, replacing the Safe Harbor framework that was invalidated by the Court of Justice of the EU (“CJEU”) in Schrems.  The Privacy Shield provides a legal basis for transfers of personal data from the European Economic Area to Privacy Shield-certified companies in the U.S.  To date, over 600 companies have certified to the Privacy Shield.  The Privacy Shield contains a much more robust set of commitments than those underpinning the Safe Harbor and will provide stronger protections to data subjects in the EU than its predecessor.
Continue Reading Challenge to EU-U.S. Privacy Shield Lands at EU Court

On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here).

That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11).  Once translated and published in the Official Journal of the EU, the adequacy decision will then enter into force.

However, there may need to be an implementation period during which the EU and U.S. put in place relevant structures; it is expected that Commissioner Věra Jourová will provide more details to the European Parliament on Monday, and in a joint press conference on Tuesday with U.S. Secretary of Commerce Penny Pritzker.

Once that implementation phase is complete, U.S.-based companies will be able to self-certify under the Privacy Shield.  Doing so provides a legal basis which entities in the European Economic Area can rely on to transfer personal data to those Privacy Shield-certified companies in the US.
Continue Reading Privacy Shield Deal Passes Major EU Hurdle

Today, the Article 29 Data Protection Working Party (“Working Party”), a group consisting of representatives from the European data protection authorities, the European Data Protection Supervisor, and the European Commission, published its opinion on the EU-U.S. Privacy Shield draft adequacy decision (“Opinion”) (see here). The Opinion is accompanied by a second document, Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (“European Essential Guarantees”) (see here). This document sets out EU standards for surveillance by public authorities in the EU and U.S., as formulated by the Working Party. The Working Party also issued a press release (see here). The chairwoman of the Working Party, CNIL President Falque-Pierrotin, presented the documents today in a press conference, a recording of which is available here.

According to the Working Party, the Privacy Shield contains significant improvements compared to the now-defunct EU-U.S. Safe Harbor framework; however, there remain certain concerns and a need for clarification. 
Continue Reading EU Data Protection Authorities Call For Further Clarifications on the EU-U.S. Privacy Shield and Raise Some Concerns

Yesterday, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) held a public hearing on the EU-US Privacy Shield, see agenda here and a video of the hearing here. While European Parliament support is not strictly necessary for the approval of the Privacy Shield, it’s
Continue Reading European Parliament Committee Debate on the EU-U.S. Privacy Shield

As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.

A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor.  In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.

  1. Tougher and Binding Remedies and Enforcement

In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days.  If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body.  The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).Continue Reading Privacy Shield: Top Five Reasons It’s Tougher Than the Safe Harbor, Whether You Should Certify, and Next Steps