U.S. and EU Agree on New Data Transfer “Privacy Shield” To Replace Safe Harbor, but Compliance Questions Remain

The U.S. Department of Commerce and the European Commission (EC), the executive branch agency of the 28-member European Union (EU), have reached agreement on a new “Privacy Shield” Framework to facilitate data flow from EU member countries to the United States, including human resources data.  The Privacy Shield is designed to replace the so-called Safe Harbor agreement, which the European Court of Justice struck down last fall.

The Privacy Shield has some basic structural similarities with the Safe Harbor agreement, but also contains some significant differences, designed primarily to address the many concerns expressed by privacy advocates and others in the EU about the security of personally identifiable data that is transferred to the U.S.

For instance, the new Privacy Shield Framework imposes greater obligations on companies that participate and provides for robust enforcement through several U.S. government agencies.  The new Framework also includes clear limits and safeguards with respect to U.S. law enforcement access to data, provides EU individuals with several avenues for redress if a company does not meet its obligations, and calls for joint annual review of the Framework by U.S. and EU authorities.

Although a new Privacy Shield has been agreed to, there still are several steps that must be taken before U.S. businesses can begin using it as a tool to bring data from the EU without violating EU law.

A six-page U.S. Department of Commerce (USDOC) fact sheet providing an overview of the Privacy Shield and the requirements for companies that choose to participate is available here.

Members of the Equal Employment Advisory Council (EEAC) can read more here.