When you can't find Safe Harbor, raise your Shield!
The Tip of the Night for February 4, 2016 noted that the European Union and United States had agreed on a privacy shield to replace the safe harbor agreement that was invalidated in Schrems v. Data Protection Commissoner . The full text of the agreement was released on February 29, 2016, and it's a long, complex 128 page document. Fortunately, the U.S. Department of Commerce has provided a fact sheet on the agreement, and the European Commission has a one page chart of its own.
The fact sheet explains that the Shield has not yet been approved for data transfers under EU law and Commerce won't issue certifications until it has been ruled to be adequate. Companies still self-certify but their commitment to comply with the Privacy Shield Framework is enforceable under U.S. law. Companies have to respond to direct complaints by EU citizens within 45 days through an 'independent recourse mechanism' which is freely available to the citizen. Companies have to respond to complaints submitted to European Data Protection Authorities (DPAs) within 90 days. EU individuals are given private causes of action in U.S. state courts - the fact sheet specifically mentions claims for misrepresentation. If an issue is not resolved with the recourse mechanism a company has an obligation to commit to arbitration. The Commerce Department helps to administer the framework through, "periodic ex officio compliance reviews and assessments of the program". This would seem to make up for the failure to evaluate companies' self-certification under the old safe harbor scheme that I noted in the Tip of the Night for December 3, 2015. The EC chart indicates that companies have to be able to report the rough number of requests for private data.
Both Commerce and the Federal Trade Commission have to have dedicated points of contact with EU DPAs. The Commerce Fact Sheet highlights a data integrity provision meant to ensure that only relevant personal information gets processed. When data is sent to a 'third party controller' the Shield participant has to ensure that they provide the same level of protection, and they only process it for 'limited and specified purposes'. If an organization is no longer participating under the Framework it still has to certify its commitment for any data that it retains. The Department of Justice outlines limitations on the U.S. Government's access to confidential data for law enforcement and public interest purposes. EU citizens can make public inquiries through a State Department ombudsman [person] about 'signals intelligence activities'. The EC chart mentioned that this ombudsperson must be independent from the U.S. intelligence community.
The EC graphic notes that there will be sanctions or exclusions for companies that don't comply with the new arrangement. Under the agreement the United States Government "affirm[s] [the] absence of indiscriminate or mass surveillance".
The new agreement also calls for an annual privacy summit with NGOs and stakeholders on how developments in American privacy law effects EU citizens.