Privacy Shield 101: What Does the Future Look Like?

The Privacy Shield has many moving parts. While the situation is still somewhat volatile, here's what the future of data privacy regulations might look like.

3 June 2016


In my last post, I discussed what the Privacy Shield aims to do in terms of protecting the data of European citizens, and how if you're a U.S. company doing business in Europe, what you would need to do to comply.

One of the things Europeans hated about Safe Harbor was its limited enforcement. The Privacy Shield, however, has stricter requirements for companies and government authorities, stronger enforcement, and ongoing oversight. As part of these rules, any EU citizen who believes that a U.S. company has misused their data will now have access to several enforcement mechanisms which you can read about here.

So what happens next?

On Wednesday 13 April, the Article 29 Working Party announced its opinion of the Privacy Shield and stated that they thought it did not currently provide European citizens adequate protection without the European Commission and the U.S. regulators redrafting and clarifying certain aspects. This opinion is not legally binding on the European Commission and they may go ahead and approve the Privacy Shield as is. However, if they do not heed the advice of the Article 29 Working Party, in all likelihood legal challenges are almost certain, and then the European Court of Justice (CJEU) — the same court that ruled Safe Harbor was invalid — will have the final say.

The EU-US Privacy Shield will also have to be consistent with the EU’s new General Data Protection Regulation (GDPR). The GDPR was approved by the EU Parliament on 14 April and has a two year implementation phase.

What happens in the future?

Unlike Safe Harbor, the Privacy Shield is meant to be a dynamic agreement, with annual reviews to determine if it is functioning as intended. The European Commission and the U.S. Department of Commerce will conduct this joint review, assisted by the DPAs, U.S. national security authorities and the Ombudsperson (This is a mechanism established to investigate concerns by EU citizens about the U.S. government spying on their data.) In the event that companies or government authorities are not fulfilling their commitments, the Privacy Shield could be revised, suspended, or abandoned altogether. In short, change is built into the process.

What should my company do now?

The Privacy Shield has many moving parts, and there’s some uncertainty about what shape the final agreement will take. While the situation is still somewhat volatile, companies should be putting the pieces in place to comply with the Privacy Principles (updating their Privacy Policy, updating contracts with third-parties to ensure they comply with the Principles, designating the independent dispute body, etc.). At the same time, they should recognize that all provisions are subject to change, and will need agility in their processes to be able to adapt.

One final point: while the Privacy Shield not only imposes stricter compliance requirements and enforcement than Safe Harbor, it also means that complaints and investigations will probably become much more common — part of the fabric of doing business in Europe. Since it’s now much easier for EU citizens to file a complaint when they suspect potential abuse, companies will have to be prepared to defend themselves by demonstrating that they’re in compliance.

We’ll be exploring the Privacy Shield further in upcoming posts, including how to meet the various requirements of the Principles and how the new agreement meshes with other privacy and data protection rules. Stay tuned!

Stay IN the know

Sign up for our newsletter for must-read market analysis and thought leadership, delivered right to your inbox.