After Safe Harbor, the international data transfer law used by the U.S. and the European Union, was invalidated in October 2015, the Department of Commerce and the EU Commission worked to draft a new agreement that gave Europeans more rights about their personal information in the U.S. On July 12, 2016, the EU-US Privacy Shield law was passed.
Why did this agreement come about in the first place? When the EU Court of Justice ruled Safe Harbor invalid, it had two key concerns: Excessive U.S. access to European data (thanks to the Edward Snowden leaks of 2013), and a lack of process for European citizens to address their concerns. Privacy Shield aims to redress those issues.
Are there a lot of differences between the agreements? Not really. The differences between Safe Harbor and Privacy Shield are more in the methods of addressing data transfers than changing the nature of them. Safe Harbor had seven principles: Notice, Choice, Onward Transfers (transfers to third parties), Access, Security, Data Integrity, and Enforcement. Privacy Shield has those same principles, but focuses on more individual rights for EU citizens, stricter requirements for U.S. businesses and restricting U.S. government access to personal data.
One major change from Safe Harbor is the transfer of data to third parties, or the Onward Transfers principle. In the old agreement, an organization had to provide notice and choice to consumers before sharing personal information with a third party, but that was not required if the third party was “acting as an agent to perform tasks on behalf of and under the instructions of third organization.”
With the new agreement, that rule has changed dramatically. Companies who wish to transfer data to third parties now must also comply with the principle of purpose limitation and ensure that the third party provides the same level of Privacy Shield protection as the original company. Organizations must also provide a copy of relevant portions of its privacy agreement with the third party to the Department of Commerce upon request. However, even when those requirements have been met, an organization remains liable if the third party does not process the information in a manner consistent with Privacy Shield, unless it proves it is not responsible for any event that causes damage to the personal information.
Overall, the Privacy Shield seeks to address concerns voiced by Europeans over how much of their data was being sent to the U.S. and the lack of process to file any complaints that Safe Harbor did not provide. Despite the framework being signed July 12, many critics of the new policy remain vocal and question whether it can stand up to a legal challenge. Companies may self-certify adherence to the new principles beginning Aug. 1, 2016 and the full list of certified companies is available on the Privacy Shield website.