From Safe Harbor to the New EU-U.S. Privacy Shield: What Should We Do Right Now?

The news has been zipping around the Internet. The EU Commission has announced that a “new framework for transatlantic data flows” has been agreed upon, called the EU-U.S. Privacy Shield. Of particular concern had been the potential that U.S. companies participating in the Safe Harbor framework would provide EU individuals’ personal data to the U.S. government. Under the new “Shield” program, the U.S. and the EU have agreed that there will be “clear conditions, limitations, and oversight” on the provision of EU individuals’ data to U.S. authorities.

The announcement has companies asking their lawyers: what should we do today to get under this Shield? The answer is, unfortunately, not much. The new framework has not yet been put in place on the U.S. side, and the EU has not yet drafted its adequacy decision. The Commission has indicated, though, that the Shield program will require companies to “commit to robust obligations” on the data security front. The program will also permit EU data protection authorities to refer EU citizen complaints to the FTC.

TIP: Until the Privacy Shield program is put in place, companies engaging in transfers of data from the EU to the U.S. have the same options we have discussed in the past. Companies may also want to start thinking about how they will live up to “robust” data security promises and how they might address complaints from the EU that would get referred to the FTC.