On February 2, 2016, following the announcement of the EU-U.S. Privacy Shield Agreement, the U.S. Department of Commerce distributed a fact sheet about the new data-transfer agreement with the European Union. The fact sheet provides further detail on the elements of the agreement described in the EU Commission's press release.
The Department of Commerce’s fact sheet states that U.S. companies participating in the EU-U.S. Privacy Shield must "commit to participate in arbitration as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies." Arbitration will be “at no cost to the individual.” Whether U.S. companies must bear the cost is not clear.
Further, the fact sheet states that the Privacy Shield contains additional obligations regarding use of service providers by participating companies in the form of "new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies' agents to improve accountability and ensure a continuity of protection."
The Privacy Shield allows for European Data Protection Authorities to refer complaints to the Department of Commerce and the Federal Trade Commission. The Department of Commerce states it will dedicate "a special team with significant new resources to supervise compliance with the Privacy Shield" as part of its effort to resolve these complaints.
The EU Commission press release also announced that the U.S. gave the EU Commission written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The fact sheet provides details on the nature of these written assurances, stating that "[i]n connection with finalization of the new EU-U.S. Privacy Shield, the U.S. Intelligence Community has described in writing for the European Commission the multiple layers of constitutional, statutory, and policy safeguards that apply to its operations, with active oversight provided by all three branches of the U.S. Government."
While the Department of Commerce has shed a bit more light on the details of the EU-U.S. Privacy Shield, many questions still remain. Stay tuned.
By Carolyn Krol