Following a September 23, 2015 opinion by Advocate General (AG) Bot that the US-EU Safe Harbor framework, which provided for the "safe" transfer of personal data from the EU to the US, did not provide sufficient guarantees for the protection of the rights of EU citizens, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor framework. In reaching its conclusion that the Safe Harbor framework failed to adequately protect privacy, the CJEU cited what it deemed to be the Safe Harbor's shortcomings—including its lack of a judicial redress procedure for EU citizens. See our previous articles on the AG opinion and subsequent CJEU decision for more information.
EU and US authorities have been renegotiating the Safe Harbor framework for the past two years, however, the CJEU's decision places additional pressure on both sides to finalize negotiations. On October 16, 2015, the Article 29 Working Party, an influential advisory group made up of representatives from the data protection authority of each EU Member State, injected additional urgency into the talks when it announced that a new data sharing agreement should be in place by the end of January 2016, otherwise "coordinated enforcement actions" against companies unlawfully transferring data may be considered.
The Judicial Redress Act
In response to the CJEU decision, on October 20, 2015 the US House of Representatives passed the Judicial Redress Act (H.R. 1428). The bill would give citizens of designated close US allies the same legal rights enjoyed by US citizens under the Privacy Act of 1974, including the power to sue certain US federal agencies for mishandling their personal information.
"The sudden termination of the Safe Harbor framework strikes a blow to US businesses by complicating commercial data flows. If we fail to pass the Judicial Redress Act, we risk similar disruption to the sharing of law enforcement information," said US Representative Jim Sensenbrenner (R-Va.), one of the bill's sponsors.
By addressing the CJEU's concern about the lack of judicial redress for EU citizens, the House's passage of the bill is viewed by some as a critical step toward establishing a new data protection and privacy rights framework with the EU. However, given that the Privacy Act of 1974 contains a number of exceptions for law enforcement and intelligence actions, some have cautioned that the House bill may not go far enough in addressing the concerns outlined in the CJEU decision. The bill now moves to the Senate for approval.
Impact on companies
Although the House's passage of the Judicial Redress Act offers hope to thousands of companies anxious for a new US-EU data sharing agreement, businesses which previously relied on the Safe Harbor framework should continue reevaluating their options for transferring data from the EU in light of the Working Party's stated January 2016 deadline. Additionally, and as discussed in previous alerts (available here, here and here), companies operating in more than one Member State should monitor data protection authorities' responses to these developments and consider whether alternative transfer methods, such as Model Contract Clauses, might be appropriate for their business.