After months of uncertainty, the US again has a framework of rules to follow that will govern US business’ use of EU residents’ data. The European Commission approved the text of the EU-US Privacy Shield (the “Privacy Shield”) today. The Privacy Shield effectively replaces the EU-US Safe Harbor mechanism, which was struck down in October of 2015. As with Safe Harbor, companies can self-certify under the Privacy Shield to receive personal data from the EU and must annually re-certify to validate its participation.
The Privacy Shield requires that companies processing data of EU residents in the US commit to comply with certain privacy principles to ensure an adequate level of protection for that data. The Privacy Shield also creates oversight and enforcement mechanisms to ensure companies’ compliance with the Privacy Shield’s privacy principles and punish those who fail to comply. Importantly, the Privacy Shield attempts to protect EU personal information from access and use by the US government under the auspices of national security and surveillance. This issue was the EU’s largest criticism with Safe Harbor, and the issue most threatening to the survival of the Privacy Shield. The status of the Privacy Shield is at risk even on the day of its enactment, as critics voice doubts it contains adequate provisions to stave off the US government surveillance practices.