European Union Privacy Shield Framework

In recent years, the internet has connected the general public across continents.  Notably, it can be expected that data can easily travel across countries in a blink of an eye, without any delay and on a daily basis.  The transfer of data is an important part in business as well.  With any multinational entity, personal data crossing countries is inevitable.  However, each country may have different guidelines that a business must ensure compliance.

Recently, the European Union announced a new change to its privacy laws.  Formerly, it would allow American, and other businesses, to obtain a “pass” for its privacy laws by certifying themselves as compatible for its safe harbors scheme.  This safe harbor scheme requires a business to meet standards for privacy protection.  However, on October 6, 2015, the European Court of Justice ruled that the previous system for allowing corporations to obtain accreditation, and shifting data between the United States and Europe, was improper due to the current intelligence methods in the United States.  This oversight ended the safe harbor provision.

The new rules establish a Privacy Shield register and a free alternative dispute resolution system.  The organizations will have to self certify annually, with verification by the Department of Commerce, and comply with the Privacy Shield framework.  As part of compliance, organizations must provide a response within 45 days and create a no-cost independent recourse system where complaints and disputes will be resolved in a timely manner.  In addition, the European residents will be able to pursue legal action for claims such as, misrepresentation, and the participants must commit to binding arbitration at the European citizen’s request.

The major theme with the new regulation is essentially a restriction that puts some “teeth” into the Privacy Shield in order to ensure it will stand up to a challenge like the one that took down the Safe Harbor agreement.  As such, there are multiple regulations that are placed in part on the state, like the existence of an ombudsman, and the ability for European citizens to complain about privacy right violations.  In regards to the private sector, the major drawback is that the new system does not allow for the same self-certification processes, and places businesses under more regulation.  Of note, is the prohibition on the collection of additional data; without the additional data, that is beyond what a service might reasonably require, advertisements may be more difficult to place, and there may be limitations on service that occur as a result.  In addition, while there is transfer of personal data between the United States and Europe currently, to avoid any potential liability under the new rules, businesses would have to change to comply.  However, this is not quite finished.  There is still a vote that needs to take place in the European Union, between the member states, to officially approve the transfer of data.

At our law firm, we assist clients with legal issues related to business, technology, and e-commerce transactions.  You may contact us to set up an initial consultation.