August 19, 2018

August 17, 2018

Subscribe to Latest Legal News and Analysis

August 16, 2018

Subscribe to Latest Legal News and Analysis

One Step Closer: Draft of Text of EU-U.S. Privacy Shield Released Yesterday

The U.S. and EU are one step closer to implementing the new EU-U.S. Privacy Shield.  The European Commission and U.S. Department of Commerce yesterday announced the release of the legal texts that will put in place the EU-U.S. Privacy Shield, a new framework of rules governing transatlantic data flow. 

The Privacy Shield replaces an earlier Safe Harbor mechanism, struck down by the European Court of Justice last October, saying that it did not adequately protect their citizens’ privacy rights.  Nearly 5,000 U.S. companies relied on the 15 year-old Safe Harbor mechanism to collect and transfer data of EU individuals into the U.S.  Since the invalidation of the Safe Harbor, U.S. companies have been eagerly awaiting word of a new legal framework to govern transatlantic data transfers and to ease concerns that companies may face enforcement actions by individual EU countries.

This announcement is another sign that the Obama Administration is serious about allaying European concerns about data privacy in the U.S.  Last week, the U.S. adopted into law the Judicial Redress Act, which grants EU citizens the right to enforce data protection rights in U.S. courts.

The Privacy Shield, which includes Privacy Shield Principles, is designed to offer EU individuals stronger privacy monitoring and enforcement, easier redress for concerns and includes written commitments by the U.S. government on the enforcement of the arrangement.

Yesterday, in addition to the release of the legal texts, the European Commission also made public a draft “adequacy decision” establishing that the Privacy Shield safeguards are equivalent to data protection standards in the EU.

Some of the key components of the Privacy Shield include:

  • Strict and transparent supervision on U.S. companies to safeguard personal data of European customers and business partners. The Privacy Shield calls for sanctions for companies that fail to protect this data or exclusions if they do not comply.

  • Strengthening protection of personal data that is transferred from a Privacy Shield organization to a third party controller or agent by requiring, among other things, that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual.

  • Clear restrictions on U.S. government access to Europeans’ private information. This aspect of the Privacy Shield will be overseen by an Ombudsperson office operating independently of U.S. national security agencies.

  • Dispute resolution mechanisms for Europeans who have a privacy complaint involving a U.S. business. These mechanisms include binding arbitration. Businesses will have 45 days to respond to complaints by EU consumers before the dispute resolution process begins.

  • An annual joint review by the European Commission and U.S. Department of Commerce to ensure the Privacy Shield is working as it should.

The EU-U.S. Privacy Shield isn’t finalized yet, as both sides still must finalize certain components. But today’s announcement gives a working understanding of how the Privacy Shield will work, as well as indicating the seriousness of both parties in addressing this critical business concern and restoring transatlantic trust.

Copyright © 2018 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Orla M. O'Hannaidh, Womble Carlyle, Intellectual Property Attorney, Technology Commercialization Lawyer

Orla O’Hannaidh is an associate in Womble Carlyle’s Intellectual Property Practice Group and a member of the firm’s IP Transactions Team. Her practice focuses on drafting and reviewing a broad variety of contracts involving the use and commercialization of intellectual property and technology. Orla also practices in the areas of copyright, marketing, sweepstakes and promotions law. Before joining Womble Carlyle, Orla worked for the Irish Department of Foreign Affairs in Washington D.C. and Dublin, Ireland. Orla gained significant experience in government relations and negotiations. Orla also received a Masters in International Relations and served as a summer clerk for Justice Paul Newby of the North Carolina Supreme Court.