Ever since a European court invalidated the old Safe Harbor laws in 2015, the United States and European Union (“EU”) have been working to create a new system that would offer adequate protection for the collection, storage and use of EU citizens’ private information. It has been no easy battle, as both parties have their own approach and expectations when it comes to privacy.
However, the light at the end of the tunnel may finally be in sight. On February 29 of this year the European Commission released the EU-US Privacy Shield Framework. The new Privacy Shield agreement is design to enhance the protection of personal information in a multitude of ways; a handful of which include:
- Requiring more information be provided to users in relation to “Notice” – this includes a declaration by the corporation that they are participating in the Privacy Shield agreement and identification of an independent dispute resolution body that will handle relevant issues;
- Increasing protection of personal data transferred from a Privacy Shield co-operating organization to a third party. This includes a requirement that the organization take reasonable steps to ensure the third party processes and uses the personal information in a way that’s consistent with Privacy Shield;
- Privacy Shield organizations may only collect information that is specifically relevant to its intended use;
- Annual certification with the Department of Transportation or FTC (Federal Trade Commission) that the organization will continue to apply Privacy Shield principles to information collected if it leaves Privacy Shield and keeps the personal data;
- Requiring organizations respond as quickly as possible to complaints in regards to compliance with Privacy Shield principles; and
- Requiring Privacy Shield associated organizations to make public any compliance or assessment reports submitted to the FTC, which become subject to court orders based on non-compliance.
Annex I of Privacy Shield addresses arbitration claims. Under Privacy Shield, organizations are obligated to arbitrate claims against them in regards to the recourse, enforcement and liability principles. A complete list of the principles and what they entail can be found in Annex II of Privacy Shield.
EU citizens can pursue legal remedies through private means in the US court system. However, Privacy Shield participants must commit to binding arbitration at the request of any individual to address complaints not resolved by other recourse and enforcement mechanism made available under Privacy Shield. This is done so that all EU citizens have access to recourse mechanisms, as not everyone can afford to pursue challenges privately within the courts.
The binding arbitration option will apply to specific “residual” claims, and allow individuals to determine whether a Privacy Shield organization has violated obligations owed to them under the agreement and whether any of these violations continue to be completely, or partially un-remedied. Binding arbitration will not be available where there are exceptions to the principles or in regards to allegations of the adequacy of Privacy Shield itself.
Both the EU and the US are committed to making this new agreement work. If an individual submits a complaint to the data protection authorities (“DPA”) in the EU, the Department of Commerce is devoted to receiving, reviewing and undertaking every available effort to enable resolution of the complaint and respond to the DPA on the issue within 90 days of receiving it.
In mid-April the EU announced the completion of new local privacy laws. There is speculation that these new laws will cause increased challenges in implementing the newly agreed to Privacy Shield, particularly because the new EU policies impose incredibly strict and weighty judgments if a foreign corporation doesn’t comply. However, given the novelty of both of these policies it is too early to tell what the long-term ramifications will be.
There are many components to the EU-US Privacy Shield; here we provided a brief overview of the agreement with a focus on the arbitration elements. For more information on what Privacy Shield entails and what you need to do to prepare your organization for the EU market contact Revision Legal’s Internet Privacy attorneys through the form on this page or call 855-473-8474.