Marvel fans know that Captain America’s shield is extraordinary, but exactly what it’s made of remains unknown – Vibranium? Adamantium? Unobtanium (oops, wrong movie)? For the time being, similar mystery shrouds the specifics of the new EU-U.S. Privacy Shield. Four months ago we posted on the European Court of Justice’s ruling that the U.S.-EU Safe Harbor was invalid. This Tuesday the European Commissioner announced negotiations with the U.S. had successfully yielded a new vehicle for compliant cross-border transfers of EU residents’ personal data, dubbed the EU-U.S. Privacy Shield. But until details of the new vehicle are disclosed, the specific features of the Privacy Shield remain murky.
For many U.S. companies, announcement of the Privacy Shield came not a moment too soon. Following the October 2015 invalidation of the original Safe Harbor, EU data protection authorities gave the EU and U.S. until Jan. 31 to reach a new agreement before they began enforcement under EU privacy laws. Through late December, 78 percent of U.S. companies were still using the defunct Safe Harbor and holding out hope for a “Safe Harbor 2.0.”
The initial relief of having an agreement reached has now returned to uncertainty. The Privacy Shield will not be effective until it is approved by the EU’s 28 member states. Until then, companies relying solely upon the invalid Safe Harbor Framework may face enforcement from the EU data protection authorities. For now, those who rely on alternative transfer mechanisms, such as Model Contract Clauses or binding corporate rules, are able to continue with data transfer. Earlier this week, the EU data protection authorities expressed concern over the legality of these mechanisms, but have agreed to suspend a further review until after they are able to assess the details of the Privacy Shield.
Thus far we know of three principle elements of the Privacy Shield that are different from the predecessor Safe Harbor Framework:
- New corporate regulations will strengthen protection of data,
- EU citizens who have their privacy breached will have multiple options for redress, and
- A new ombudsperson position in the U.S. will be established to communicate with EU member states about perceived violations.
What else is likely? The contours of the Privacy Shield will address the Safe Harbor’s shortcomings, at least as viewed by the European Court of Justice in its invalidation ruling of last fall. Options for EU citizens’ redress will include alternative dispute resolution and arbitration. It also seems clear that the registration requirements will not be the same as they were under the Safe Harbor. Moreover, U.S. companies will likely have greater responsibilities, and greater exposures, for data protection. For example, to operate under the Privacy Shield, a company will need to commit to offer arbitration, cost-free to the EU citizen, in the event other methods of redress fail.
Yet basic, important questions remain unanswered. When will the Privacy Shield become effective? How long will it take and what will be needed to register under the Privacy Shield? With what new regulations will companies need to comply? The EU data protection authorities expect to see the documents for this deal by the end of February, with approval some time thereafter. And as with any deal of this magnitude, the devil is in the details.