eDiscovery Daily Blog

Details Released on the New EU-US Privacy Shield: eDiscovery Trends

As we discussed last month, the EU-US Privacy Shield, an important new framework for transatlantic data flows was announced on February 2.  Within the same month, the European Commission released details on the new trans-Atlantic data transfer arrangement.

The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice (ECJ) in its ruling in the Schrems case last October 2015 (covered by us here), which declared the old Safe Harbor framework invalid.  As discussed on JD Supra Business Advisor (EU-U.S. Privacy Shield Details Released – Is the New Data Transfer Arrangement Right for Your Company?, written by Robert Stankey and Bryan Thompson of Davis Wright Tremaine LLP), the European Commission released its 34 page Draft Adequacy Decision and supplemental documents on the EU-U.S. Privacy Shield.

As the article notes, “the Privacy Shield will go further than just restoring the status quo ante Schrems. Instead, the new data transfer framework is built upon a set of stringent ‘Privacy Principles’ issued by the Commerce Department” (and also 34 pages) “that U.S. companies will have to comply with” in order to import data from the EU under the framework.  For those of us who haven’t made it through the 68+ pages yet, Stankey and Thompson have summarized the requirements required of U.S. companies, as follows:

  • Provide notice to EU citizens regarding how their data is collected and processed;
  • Allow individuals to choose to “opt-out” (or in the case of sensitive information, “opt-in”) when their personal data is shared with non-agent third parties or used in ways “materially different” from its original purpose;
  • Implement “reasonable and appropriate” data security measures, including contractually requiring all sub-processors to provide the same level of data security demanded by the Privacy Principles;
  • Ensure the reliability and integrity of personal data, and process personal data in only those ways authorized;
  • Provide EU citizens with access to their personal information, including the right to confirm whether their personal data is being processed by an organization;
  • Limit “onward transfers” of personal data to specific purposes that are based upon a contract and which include data protections equivalent to the Privacy Principles, with more detailed responsibilities and conditions than under Safe Harbor on data processing by suppliers and other third parties (including some form of notice and choice); and
  • Provide “robust” compliance and recourse mechanisms, giving EU citizens access to free and independent recourse mechanisms to redress alleged non-compliance.

Key to the new Privacy Shield are those mechanisms for complaint handling, dispute resolution and redress requirements that require self-certifying companies to respond to complaints of non-compliance within 45 days and designate an “independent dispute resolution body” to investigate and resolve EU citizens’ complaints free of charge.  It’s also important to note that the Commerce Department can remove a company from the Privacy Shield List if it finds the company has “persistently” failed to comply with the Privacy Principles, and refer perceived violations to the FTC for further enforcement action.

What’s next?  The European Commission is awaiting comments from the EU’s Article 29 Working Party (“WP29”) and the Article 31 Committee representing EU national governments before deciding whether to have the Draft Adequacy Decision approved by the full European Commission or make further changes in the terms of the Privacy Shield.  There could also still legal challenges.  So, there are still some milestones to complete before the Privacy Shield goes into effect.

So, what do you think?  Now that we know more details, does the new “Privacy Shield” appear to be an appropriate replacement to the old Safe Harbor?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.