Proposed EU-US Privacy Shield Program enters new phase with release of details

The US and the European Commission have released details about the proposed Privacy Shield program, formerly known as the “EU-US Safe Harbor Framework.” A key takeaway on US side is that the program will still rely on self-certification, although with improved verification and monitoring mechanisms.

For its part, the US Department of Commerce has released a 132-page package containing the program principles, letters from the FTC, the Department of Transportation, and the Office of the Director of National Intelligence, among others —  about how the program would operate, how program enforcement would work, and how a surveillance ombudsman would work. The package also contains the “Arbitral Model” which describes how binding arbitration would operate in the system proposed to handle individual’s complaints. According to the Department of Commerce, the full Privacy Shield package will be published in the Federal Register within 30 days of an adequacy determination.

The European Commission also released information and documents today, including a FAQ, a Fact Sheet, and most importantly, a draft Adequacy Decision. The draft adequacy decision is a crucial document and will be heavily scrutinized on both sides of the Atlantic.

Earlier in February, the European College of Commissioners voted to approve the new Safe Harbor deal with the United States. With the 29 February release of the program details and the US Judicial Redress Act signed into law on 24 February, the agreement is several steps further along the path to finalization. However, important steps remain before the deal is complete — among them,  the draft adequacy agreement will have to be agreed upon in Europe, after which the US Department of Commerce will publish the entire Privacy Shield package in the Federal Register.

Important controversies remain, especially those around the efficacy of the Judicial Redress Act and the ombudsman proposal. Not surprisingly, early reaction to the proposal was mixed. WPF is reading the proposal and will be publishing a more detailed analysis. In the meantime, the timeline for final approvals from the EU side is an unknown. The very next steps are to wait for parties in Europe to act — key to watch for are opinions on the proposal from the Article 29 Working Party. Also watch for the European College of Commissioners to approve the proposed draft adequacy decision.

Related Documents and Information:

Privacy Shield Package DOC, 29 Feb. 2016  

EU Commission Privacy Shield Fact Sheet 

Judicial Redress Act of 2015 (Signed into law 24 Feb. 2016) 

EU Commission draft adequacy decision 

Article 29 Working Party 

Presidential Policy Directive 28 (Signals Intelligence Activities) 

European Commission press release 02 Feb. 2016

Statement of the FTC Chairwoman Edith Ramirez

Video of the early February press conference (EU)