Status of the EU-US Privacy Shield Framework

April 26th, 2016
Data Security-Privacy

The eagerly awaited successor to the defunct EU US Safe Harbor Framework for transfer of personal data of EU citizens into the United States was approved by regulators from the United States and the European Union (EU) on February 2, 2016.  The new framework, however, does not become effective until approved by the EU member states.

The new framework – known as the “EU-U.S. Privacy Shield Framework” — was designed by U.S. and EU regulators to provide a framework for transfer of personal data from the EU to the United States that supported transatlantic commerce while giving significantly stronger protection to EU citizens than provided by the Safe Harbor Framework. 

The Privacy Shield Framework includes a number of robust protections for the personal data of EU citizens. The Framework provides significant detail regarding how companies may use personal data of EU subjects, requires close U.S. government oversight, and mandates increased cooperation with EU data protection authorities (DPAs). The Privacy Shield Framework provides EU individuals with multiple ways to address grievances with regard to U.S. companies’ compliance with the Privacy Shield Framework. The Privacy Shield Framework makes it easier for EU individuals to understand and exercise rights with respect to their personal data.

The EU has proposed that the Privacy Shield Framework be deemed adequate for data transfers under EU law, but that proposal has not been approved by the EU member states. Once an adequacy determination is in place, U.S. regulators (in particular, the Department of Commerce) will begin accepting certifications under the Framework. 

To receive data from EU individuals in the U.S., a U.S. company must self-certify to the Department of Commerce and publicly commit to comply with the Privacy Shield Framework’s requirements. Once a company makes the public commitment to comply with the Privacy Shield Framework’s requirements, the commitment will become enforceable under U.S. law.  A U.S. company is not required to participate in the EU-US Privacy Shield Framework, but must do so if it wishes to receive the personal data of EU citizens in the U.S.

Regulators hope that all necessary EU approvals for the EU-US Privacy Shield Framework will be received by mid-summer.  Despite the fact that the Privacy Shield Framework provides for significantly greater protection to EU individuals than the former Safe Harbor Framework, approval is not a foregone conclusion.  For example, a pan-European data regulator group, Article 29, has strongly criticized the Privacy Shield Framework for not providing adequate protection from U.S. government surveillance of EU citizens’ data. (See HERE).

MMM will publish future updates on the EU-US Privacy Shield Framework as developments warrant.