The self-certification process appears likely to continue after approval of the Shield, but under much stricter oversight. The U.S. Department of Commerce will be required to conduct yearly review of the efficiency of the Shield's operation and verify the applications of U.S. companies claiming compliance. The U.S. Federal Trade Commission will also participate in this overview process. EU citizens cannot complain directly to these agencies, but can file a complaint with their local Data Protection Authority who can then approach the U.S. agencies on the citizen's behalf.
New processes will be created to further ensure EU citizen protection. The U.S. State Department must create an Ombudsperson mechanism, independent of any U.S. federal agency, to also handle complaints from EU citizens, to advise such citizens as to their legal remedies, and to publicly publish the results of its investigations in the Federal Register. Complaints incapable of being resolved by any of the aforementioned methods will be forwarded to binding arbitration, paid from a fund to be established intended to minimize or eliminate any cost to complaining citizens.
Until the formal adoption of the Privacy Shield, however, U.S. companies continue to be at increased risk of privacy violations while handling and/or processing EU citizens' personal data during the period between the abolition of Safe Harbor and the passage of the Shield and should, therefore, tread carefully. Adding to the uncertainty is the current consideration of the proposed General Data Protection Regulation, intended to supersede the directive, now pending before the EU Parliament. And how privacy versus security concerns over such terrorist incidents as the one that occurred in Brussels might influence the pending decisions of EU government officials is impossible to accurately factor into this mix.
Sign up for CIO Asia eNewsletters.