EU Commission releases proposed text for EU-U.S. Privacy Shield to replace Safe Harbor Agreement

2 March 2016

Introduction
On Monday, 29 February 2016, the European Commission released the proposed text for the Privacy Shield Principles and the corresponding draft adequacy decision with respect to EU-U.S. personal data transfers, as well as letters from US institutions on the implementation and enforcement of the Privacy Shield. The Privacy Shield is to replace the Safe Harbor Agreement which was declared invalid by the European Court of Justice on 6 October 2015.

The Privacy Shield Principles and further procedures

The Privacy Shield Principles consist of the following seven categories:

(i) notice: the controller should inform the data subject on the processing of its personal data;

(ii) choice: the controller should offer the data subject the possibility to opt out of disclosure of its personal data to a third party or use of its personal data for a different purpose;

(iii) accountability for onward transfer: the data controller should ensure that a third party receiving personal data also complies with the Privacy Shield Principles;
(iv) security: the data controller should take reasonable and appropriate measures to protect the personal data;

(v) data integrity and purpose limitation: the data controller may not process the information that is incompatible with the purposes for which it has been collected, and the data controller should take reasonable steps to ensure that the personal data is accurate, complete and current;

(vi) access: the data subject should be able to correct, amend or delete its personal data where it is inaccurate; and

(vii) recourse, enforcement and liability: effective privacy protection must include robust mechanisms for assuring compliance with the Privacy Shield Principles, recourse for individuals who are affected by non-compliance with the Privacy Shield Principles, and consequences for the organization when the Privacy Shield Principles are not followed.

In addition, the Privacy Shield holds a supplemental set of principles including detailed provisions regarding sensitive data, the role of data protection authorities, self-certification, human resources data, obligatory contracts for onward transfers, pharmaceutical and medical products, and access requests by public authorities.

Important changes in the Privacy Shield compared to the Safe Harbor scheme relate to the increased regulatory oversight for Privacy Shield certified companies by the US Department of Commerce and the Federal Trade Commission, increased accountability for onward transfer of personal data, and more detailed procedural requirements regarding the yearly self-certification of organizations and exceptions allowing the transfer of sensitive data. Furthermore, the Privacy Shield includes additional complaint mechanisms for data subjects. These include arbitration by a Privacy Shield Panel against the certified Privacy Shield organization and a new Ombudsman mechanism at the US Department of State for complaints regarding access to personal data by US intelligence agencies.

Next steps
The Article 29 Working Party, consisting of representatives of the data protection authorities in the European Union, may issue a non-binding opinion, and the Article 31 Committee, consisting of representatives of the European Member States, may issue a binding opinion prior to formal adoption of the proposed text by the EU College of Commissioners. It is expected the EU College of Commissioners aims to formally adopt the proposed text in June 2016.

Practical consequences
The Privacy Shield includes more specific requirements for the transfer of personal data from the EU to the US than the now-invalid Safe Harbor scheme. Although the proposed text is still subject to review and approval by several EU institutions, organizations can now start determining which transfer mechanism, such as the Privacy Shield, European Commission Standard Contractual Clauses, or Binding Corporate Rules, is best suitable to validate their transfers of personal data to the US