EU-US Privacy Shield Agreement increases oversight of data transfers: US companies brace for requirements

On February 2, 2016, the European commission of the European Union (EU) and the US Department of Commerce reached agreement on a new transatlantic data transfer pact. The new pact, known as the EU-US “Privacy Shield,” establishes a new framework for data transfers that underpin the world’s largest trading relationship between the EU and the US.

The original 15-year-old “Safe Harbor” agreement was invalidated by the EU’s highest court (the European Court of Justice) in October 2015, finding that the agreement with the US violated the privacy of its citizens. The new Privacy Shield agreement puts in place a more robust framework with additional levels of process and oversight requirements.

While the full text of the new framework is not available yet, the US Commerce Department has released a fact sheet. The agreement still needs to be reviewed by the EU Article 29 Working Party and the EU College of Commissioners, but assuming it remains substantively the same, the Privacy Shield agreement includes:

  • Stronger obligations on US companies to protect EU citizens’ personal data, including new privacy protections of data transfers by participating U.S. companies to third parties
  • Stronger monitoring, oversight, and enforcement of the agreement to be carried out by the US Department of Commerce and Federal Trade Commission (FTC)
  • Registration with the US Department of Commerce by U.S. companies participating in the Privacy Shield pact
  • Limitations and oversight on US government access to EU citizens’ data for national security and law enforcement purposes
  • A new privacy office in the US to handle EU citizens’ data privacy complaints
  • An annual review of US commitments and performance against the Privacy Shield agreement

The agreement will affect approximately 4,500 companies that move and/or store personal data, including: financial services organizations, retail and e-commerce companies with European customer information, online advertising companies, companies that store data (via cloud services) on behalf of European companies, and companies that store human resources documentation on European employees.

What to do now: Alternatives and impacts of the EU-US Privacy Shield

  • Understand the risks based on the agreement. When the full text of the agreement is publicly released, US companies must review it carefully before deciding to commit to / participate in it.
  • Consider all options / alternatives for data transfer protocol and oversight until the agreement is fully binding. As part of the agreement’s announcement, it was stated that the agreement will be implemented within the next three months. Until it is implemented, affected organizations should use alternative legally valid means to conduct data transfers. EU law currently provides for two other means of transferring personal data legally:
    • Model Contracts: The EU has approved model contracts that companies can use for data transfers that usually get automatic approval by the various EU data protection authorities (DPA).
    • Binding Corporate Rules (BCR): Multinational companies can define internal rules for performing international data transfers that they get can get approved by a lead DPA.

    While these methods are more time-consuming to implement because they often require prior approval from regulators, they may be considered less invasive than opting into the new framework.
  • Closely monitor developments related to the EU-US Privacy Shield implementation, its requirements, oversight, and enforcement details as specific impacts continue to emerge.

For more information, contact Baker Tilly’s technology risk and cybersecurity team to conduct an assessment of your current data transfer protocols and compliance.