Go to the profile of Mastiff
Mastiff
Integrity Defined

The EU-US Privacy Shield? Still Waiting to See What it Is

It is likely, by now, that you have read about the EU-US Privacy Shield. Its origins come from Safe Harbor. To recap Safe Harbor, a US business used to be able to self-certify its compliance with the principles under the EU-US Safe Harbor treaty. The principles set forth certain practices US companies needed to conduct in order for them to be deemed adequate by the EU. More simply put, the treaty enabled a simple process for conducting business across the Atlantic. Last fall, the treaty was declared invalid by the European Court of Justice. That decision left US businesses, particularly small businesses, with uncertainty.

A few days ago, the FTC and the European Commission announced that they had reached an agreement on the guidelines for a new treaty. What the exact agreement is has not yet been disclosed. However, they are publicly referring to it as the “EU-US Privacy Shield.”

They did disclose some high level changes that the EU-US Privacy Shield will require. Previous posts recommended actions to help businesses in their cross-border privacy practices and those recommendations seem to be useful for compliance with the EU-US Privacy Shield. Here is the high level of the EU-US Privacy Shield:

  • Display a privacy policy for consumers;
  • Update current privacy policy in accordance with the guidelines;
  • Agree to comply with the decisions of EU DPAs if your business handles any European citizen’s HR data.

The other components released focus on US law enforcement surveillance and national security. In fact, this seems to be the crux of the new treaty. According to the media disclosures, it will include specific guidelines about how US law enforcement may conduct surveillance on EU citizens. But even more than that, it will provide an opportunity for redress. Last week, we submitted a post on the Judicial Redress Act. The Judicial Redress Act is sponsored by James Sensenbrenner, a Representative from Wisconsin, passed the House of Representatives late last year and is up for Senate approval. Basically, the bill authorizes natural citizens of foreign countries (or regional economic integration organizations who are designated by the Department of Justice) to bring civil actions under the Privacy Act of 1974 against certain U.S. government agencies to redress unlawful disclosure of records transferred from the foreign country to the U.S. The EU has publicly stated that the US needed to adjust its surveillance and national security practices to allow redress by EU citizens for disclosures of their private information. The Judicial Redress Act would fulfill this condition. However, it appears that the EU-US Privacy Shield may also include redress.

Of particular interest is that there are opponents to the EU-US Privacy Shield who feel that these guidelines on US surveillance and redress procedures may not be enough. So, passage of the EU-US Privacy Shield is not guaranteed.

And there are still many questions to be answered surrounding adoption. For example, if you already certified under the original Safe Harbor, do you have to pay the fee again? Or are you grandfathered in? Can you still rely on your dispute resolution mechanism? Why did they call it a shield? Are U.S. citizens equally shielded from surveillance by European countries? Do US citizens have an opportunity of redress based on EU surveillance? How does a US company handle US law enforcement inquiries about their European customers? We will just have to wait and see.

The purpose of this post is for information only and may not be construed as creating an attorney-client relationship and this post may be considered advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers. This post may not be edited.