The Privacy Shield agreement is intended to guarantee the personal information of European Union citizens the same privacy protection when processed in the U.S. as it would receive at home. Where these guarantees are not available, the information must stay in the EU.
Privacy Shield replaces the earlier Safe Harbor agreement, which was torn up by the Court of Justice of the European Union last October because it did not provide adequate protection.
Like its predecessor, Privacy Shield require U.S. businesses wishing to process EU citizens’ personal information to self-certify that they will comply with a certain number of principles.
Privacy Shield was little more than a name when the European Commission announced the agreement on Feb. 2, but on Monday it fleshed out details of its negotiations with U.S. authorities.
Here are five things businesses need to know about the Privacy Shield principles
1. Signing up is voluntary; compliance is compulsory
Signing up to Privacy Shield is voluntary but if a business does not sign up, it can not process EU citizens’ data in the U.S. Once a business has signed up, compliance with the principles is compulsory and can be enforced by the U.S. Federal Trade Commission.
Participating companies must publish—and respect—their privacy policies. Those that don’t keep their promises may be sanctioned or excluded from the Privacy Shield agreement. The U.S. Department of Commerce will publish a list of companies that have signed up, and another of those that have been excluded.
2. National security still trumps Privacy Shield
Where the Privacy Shield principles conflict with U.S. national security or law enforcement needs, you can forget Privacy Shield. Article 5 of the agreement says: “Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b)
by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations.”
3. Mass surveillance is still allowed
Even though its openness to mass surveillance of EU citizens’ communications and online activities was one of the things that brought down Safe Harbor, such surveillance activities are still allowed under Privacy Shield. The EU’s fact sheet claims that “U.S authorities affirm absence of indiscriminate or mass surveillance,” but U.S. documents forming part of the agreement claim nothing of the sort. The U.S. still allows itself to perform bulk surveillance for six purposes: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to U.S. or allied armed forces, and combating transnational criminal threats, including sanctions evasion.
4. Businesses will have 45 days to reply…
If an EU citizen complains about the treatment of their personal information under Privacy Shield, companies will have 45 days to reply their complaint. If the reply doesn’t bring satisfaction, the complainant can have recourse to a number of other resolution mechanisms, including a free alternative dispute resolution service and their own national privacy regulator.
5. … but it hasn’t started yet
The European Commission jumped the gun in announcing Privacy Shield on Feb. 2, as many of the written promises from the U.S. on which the agreement depends did not arrive for another three weeks. On Feb. 29 the Commission published those documents, along with a draft “adequacy decision,” the legal instrument by which Privacy Shield’s provisions will be declared equivalent to the protections offered by EU law.
The draft adequacy decision is still open to challenge by the governments and data protection authorities of the EU’s 28 member states, and must be reviewed annually to ensure that all parties are still respecting the undertakings on which it is founded. If they aren’t, then in theory it can be suspended.