June 26, 2017

June 26, 2017

Subscribe to Latest Legal News and Analysis

New US-EU ‘Privacy Shield’ Will Impose Heightened Compliance Obligations on US Companies

The European Commission and United States Department of Commerce agreed to a new transatlantic data transfer pact on Tuesday, two days after the January 31st deadline imposed by European data protection authorities. The deal comes four months after the European Court of Justice invalidated the Safe Harbor Agreement in Schrems v. Data Protection Commissioner.


Details of the new deal, which is being called the EU-US Privacy Shield, are not yet fully public. At a press conference in France, however, EU Commissioner Vera Jourova indicated that the new framework will impose stronger obligations on both US federal agencies and US companies. Technology companies in particular may face the strongest scrutiny.

Based on what is known, the Privacy Shield will require stronger monitoring of corporate privacy practices by the Department of Commerce and Federal Trade Commission. European citizens will have several mechanisms by which they may raise complaints about the privacy practices and treatment of personal data by US companies, both in Europe and the United States. The Privacy Shield will also be subject to an annual review by US and EU representatives, meaning the nature and scope of corporate obligations may change regularly. 

Unlike the old self-certification regime of the invalidated Safe Harbor Agreement, US companies should expect not only heightened privacy standards under the Privacy Shield, but also greater obligations to affirmatively demonstrate compliance. The EU Commission’s statements imply that US companies will have to agree to more robust European-style privacy standards, publish their commitments to such standards in privacy policies and will be subject to FTC enforcement actions on deceptive trade practice grounds for the failure to comply with posted policies.

The Privacy Shield deal also calls for the creation of an independent privacy ombudsman within the US Department of State. This independent ombudsman will respond to complaints related to government surveillance and government access to data about EU citizens stored in the US. This last point is significant, as it may save Binding Corporate Rules and model contract clauses as alternatives for US companies seeking to transfer data from Europe. The availability of alternatives, however, is far from clear.

In fact, the Article 29 Working Party has not yet approved of the Privacy Shield, and does not expect to do so until the end of March. While the Working Party has reiterated that Binding Corporate Rules and model contract clauses are still valid, it has left the question of enforcement of the existing data protection regulations to individual member state Data Protection Authorities. This is troubling for many US companies, as some countries – Germany in particular – have deemed these data transfer alternatives invalid.


While an agreement between the US and EU on a new transatlantic data transfer framework is positive, many questions remain about the Privacy Shield. With the potential for Member State enforcement, short-term risk may be more acute. If US companies can be certain of anything, it is that heightened privacy obligations are coming. If you have not started working towards EU-style compliance yet, you should consider using the General Data Protection Regulation as a guide to improve your policies.

© Polsinelli PC, Polsinelli LLP in California


About this Author

Daniel L. Farris, Polcinelli PC, fiber optic networking Lawyer, data center operations attorney, Chicago

As a former software engineer and network administrator in the telecommunications industry, Daniel offers his clients real-world experience in fiber optic networking, data center operations, cloud computing, mobile app development, and data privacy and security matters.  His practice is founded upon understanding how technology can strengthen and expand the core mission of his clients’ businesses.

Dov H. Scherzer, Polsinelli, global technology lawyer, internet outsourcing attorney, New York

Dov Scherzer counsels clients in cutting-edge technology and privacy law matters, with a specific focus on global technology, outsourcing, internet and intellectual property transactions. From startups to Fortune 500 companies, Dov provides legal counsel at all stages of the corporate lifecycle. His business-first philosophy allows him to support clients, not only through the delivery of legal services, but also by adding value as a trusted business advisor. Based on his years of experience representing technology vendors and customers in highly-regulated industries like health care and financial services, he understands the various business models and the drivers that impact the parties involved. He takes a practical business approach to each transaction in the context of “real-world" client requirements and best industry practices