American companies can now sign up to the Privacy Shield framework that governs how companies can transfer the data of European Union citizens over to their U.S. servers, while still complying with strict privacy rules. The U.S. Department of Justice will be the one evaluating the applications and monitoring companies for compliance.
Last year, the Court of Justice of the European Union (CJEU) ruled that the Safe Harbor agreement for data transfers between the EU and the U.S. invalid. Since then, it’s been illegal for companies to transfer data to the U.S., and Microsoft is just one of the companies that may get in trouble over this if it doesn’t comply with the new “Privacy Shield” agreement soon.
The European Commission, which negotiated the framework with the U.S. government, published all the legal documentation accompanying the Privacy Shield framework, as well as a citizens’ guide for how EU citizens can file complaints against American companies that handle their data but don’t comply with the Privacy Shield rules.
One of the those rules says that companies must delete the data once it’s not longer necessary, but it may be up to the companies to decide how long the data is needed. Some companies could say they need to store it forever, just in case it may provide some advertising benefit in the future, for example.
The Privacy Shield framework brings many new improvements over the old Safe Harbor agreement, considering the old one allowed American companies to “self-certify” for it. The new framework will be reviewed every year by the European Commission for potential unforeseen problems.
The Working Party 29, which is formed by the leaders of all the 29 Data Protection Agencies in the EU, has been criticizing the Privacy Shield agreement for being too broadly written. The WP29 is also concerned about the lack of a mechanism that would allow the agencies to object to various privacy issues that some companies may be creating. However, those objections may be considered in the annual review as potential future changes that need to be put into the agreement.
The WP29 also seems concerned that the U.S. government didn’t offer any specific assurances that it wouldn’t do bulk collection of EU data transferred to the U.S., even though that was one of the main negotiation points when the EU and U.S. executive bodies were working on the new data transferring framework.
The first annual review of the Privacy Shield framework will be an important moment to see what else is lacking from the agreement and what isn’t working. However, it’s unclear how easily the Privacy Shield framework could be modified, because it would imply that all the companies that have been certified for it would have to be re-evaluated.
EU citizens will be able to check whether a certain company complies with the Privacy Shield framework before becoming a member of their services.