The Privacy Shield agreement is intended to guarantee the personal information of European Union citizens the same privacy protection when processed in the US as it would receive at home. Where these guarantees are not available, the information must stay in the EU. [See also: Privacy Shield post-Brexit - What UK CIOs need to do about Safe Harbor replacement]
Privacy Shield replaces the earlier Safe Harbor agreement, which was torn up by the Court of Justice of the European Union last October because it did not provide adequate protection.
Like its predecessor, Privacy Shield require US businesses wishing to process EU citizens' personal information to self-certify that they will comply with a certain number of principles.
Privacy Shield was little more than a name when the European Commission announced the agreement on February 2, but yesterday it fleshed out details of its negotiations with US authorities.
Here are five things businesses need to know about the Privacy Shield principles
1. Signing up is voluntary; compliance is compulsory
Signing up to Privacy Shield is voluntary but if a business does not sign up, it can not process EU citizens' data in the US. Once a business has signed up, compliance with the principles is compulsory and can be enforced by the US Federal Trade Commission.
Participating US companies must publish - and respect - their privacy policies. Those that don't keep their promises may be sanctioned or excluded from the Privacy Shield agreement. The US Department of Commerce will publish a list of companies that have signed up, and another of those that have been excluded.
2. US national security still trumps Privacy Shield
Where the Privacy Shield principles conflict with US national security or law enforcement needs, you can forget Privacy Shield. Article 5 of the agreement says: "Adherence to these Principles may be limited:
(a) to the extent necessary to meet national security, public interest, or law enforcement requirements;
(b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations."
3. Mass surveillance is still allowed
Even though its openness to mass surveillance of EU citizens' communications and online activities was one of the things that brought down Safe Harbor, such surveillance activities are still allowed under Privacy Shield. The EU's fact sheet claims that "US authorities affirm absence of indiscriminate or mass surveillance," but US documents forming part of the agreement claim nothing of the sort.
The U.S. still allows itself to perform bulk surveillance for six purposes: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to US or allied armed forces, and combating transnational criminal threats, including sanctions evasion.
4. Businesses will have 45 days to reply...
If an EU citizen complains about the treatment of their personal information under Privacy Shield, companies will have 45 days to reply their complaint. If the reply doesn't bring satisfaction, the complainant can have recourse to a number of other resolution mechanisms, including a free alternative dispute resolution service and their own national privacy regulator.
5. ... but it hasn't started yet
The European Commission jumped the gun in announcing Privacy Shield on February 2, as many of the written promises from the US on which the agreement depends did not arrive for another three weeks. On February 29 the Commission published those documents, along with a draft "adequacy decision," the legal instrument by which Privacy Shield's provisions will be declared equivalent to the protections offered by EU law.
The draft adequacy decision is still open to challenge by the governments and data protection authorities of the EU's 28 member states, and must be reviewed annually to ensure that all parties are still respecting the undertakings on which it is founded. If they aren't, then in theory it can be suspended.