The Commerce Department has released the full text of the EU-U.S. Privacy Shield framework, the voluntary agreement companies sign on to protect over a quarter of a billion dollars in cross-border digital information flows.
Once it becomes official, it replaces the safe harbor agreement that an EU court invalidated over concerns about the U.S. being able to hold up its end of the agreement given the government surveillance revealed by the Edward Snowden leaks. The framework requires companies to provide notice of what personal information is being collected and stored, the purposes it is used for, and an "opt out" mechanism.
The EU still must approve the agreement. The Federal Trade Commission enforces the agreement. In addition, the State Department will establish a Privacy Shield Ombudsperson for inquiries about U.S. government intelligence practices. The Justice Department is also providing a letter spelling out the limitations and safeguards.
The U.S. congress did its part earlier this month, passing legislation, the Judicial Redress Act, that gives EU member citizens, at least those in countries considered U.S. allies, privacy rights similar to those of U.S. citizens for data stored in this country and the legal standing to seeks judicial remedies here for mishandling of that data.
Passage was considered key to establishing the new framework.
The framework agreement was struck Feb. 2. "The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic," said Secretary of Commerce Penny Pritzker in a statement.
"We have spent more than two years constructing a modernized and comprehensive framework that addresses the concerns of the European Court of Justice and protects privacy."
“The Privacy Shield will provide strong privacy safeguards, legal certainty for companies and enhances transatlantic trust," said Computer & Communications Industry Association international policy director Christian Borggreen.
“Privacy Shield will enable companies safely to transfer data between the world’s two largest economies. It bridges the privacy frameworks of the EU and U.S. which are essentially equivalent. We applaud the EU and U.S. for agreeing to strong privacy safeguards that limit government access to commercial data. The Privacy Shield includes strong U.S. Government commitments, many company obligations, and privacy safeguards for consumers which will enable commerce and help to restore trust.”
“We welcome the publication of the text of the EU-U.S. Privacy Shield, which aims to create a strengthened mechanism for transatlantic data transfers, consistent with the high levels of privacy protection in both the European Union and United States,” Information Technology Industry Council's Josh Kallmer said. “After our initial review, it appears that the two sides have achieved the objective of securing an agreement that both enhances privacy protections and provides the certainty needed to promote innovation and economic growth."
Software & Information Industry Association (SIIA), which represents software and digital content companies in the United States and Europe, welcomed the release of the text and related documents for the new Safe Harbor agreement.
Mark MacCarthy, senior VP of public policy for the SIIA, urged swift EU signoff.
“The Privacy Shield creates an essential legal and political foundation for the free flow of data across the Atlantic. It provides a mechanism that allows companies that wish to transfer personal data from Europe to the United States to do so in a way which complies with European laws and regulations," he said.
“This is a critical milestone in the effort to protect the transfer of data across the Atlantic,” said Linda Moore, president and CEO of TechNet, in a statement. “The transatlantic flow of data is the lynchpin of U.S.-EU trade relations, and a clear framework to protect these transfers is vital for American and European shared interests in promoting innovation and data protection.”