The European Commission Has Deemed The Privacy Shield Framework Adequate To Enable Data Transfers To US Under EU Law.
On July 12, 2016, the European Commission adopted the EU-U.S. Privacy Shield. I am blogging about this because it relates to transfer of data from the EU to the U.S., and this impacts legal matters affecting the privacy rights of EU citizens, including mediations, arbitrations, and litigation in which a data transfer from the EU to the U.S. is required. Also, the Privacy Shield provides for binding arbitration as one of several dispute resolution mechanisms for resolving privacy issues.
The International Trade Administration of the US Department of Commerce has created a website with information about the EU-U.S. Privacy Shield Program, intended to protect data flows from the EU to the US, and thus to protect the privacy of EU persons. The protections offered by the Privacy Shield Program are more stringent than protections offered by an earlier Safe Harbor program. Click here for a link to FAQs about the Privacy Shield program.
United States companies that join the Privacy Shield Framework can benefit from an “adequacy determination”, meaning a determination that they have joined and committed to a framework deemed adequate by the European Commission to comply with EU data protection requirements when transferring personal data (e.g., names, addresses, telephone numbers) from the EU to the US.
No doubt the push to satisfy EU concerns about the privacy of EU citizens was motivated, at least in part, by Edward Snowden’s revelations concerning the NSA surveillance of intelligence available in Internet communications. Snowden’s choice to disclose secret information about US surveillance triggered a debate on privacy and surveillance.
The EU-U.S. Privacy Shield provides a number of dispute resolution routes, in case a citizen of the EU believes his or her privacy rights have been violated. These routes include contacting the company directly, going to an independent dispute resolution provider, submitting to EU Data Protection Authorities (DPAs), and binding arbitration. In the case of national security issues, an ombudsman independent from US intelligence services is to be available.
Arbitration “is available to an individual to determine . . . whether a Privacy Shield organization has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied.” In short, the purpose of arbitration is to provide an equitable, rather than a monetary remedy, for an individual whose privacy rights have been violated. “Once invoked, the individual forgoes the option to seek relief for the same claimed violation in another forum, except that if non-monetary equitable relief does not fully remedy the claimed violation, the individual’s invocation of arbitration will not preclude a claim for damages that is otherwise available in the courts.” See Arbitral Model, Annex II, pp. 12 to 16 of 128.
Because the binding arbitration dispute resolution mechanism exists to protect privacy, it would make little sense if the Privacy Shield did not protect the confidentiality of the arbitration proceeding itself. In fact, “Materials submitted to arbitrators will be treated confidentially and will only be used in connection with the arbitration.” Furthermore, individual-specific discovery “will be treated confidentially by the parties and will only be used in connection with the arbitration.”