Last Tuesday, February 2, 2016, the European Commission announced that it approved the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement with the U.S. Department of Commerce establishing a new framework for transatlantic data flows. Although the full text and details of Privacy Shield have not been released, the new framework is expected to replace the now defunct Safe Harbor, providing 4,400 Safe Harbor-certified companies with greater certainty about data transfers from Europe to the US.
Here’s what you need to know:
Elements of Privacy Shield
European Commission Vice-President Ansip and Commissioner Jourová are charged with preparing a draft “adequacy decision” that will include at least the following three elements:
- Robust enforcement and strong obligations on companies handling Europeans’ personal data: U.S. companies will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor whether companies publish their commitments and the US. Federal Trade Commission will manage enforcement. Any company handling human resources data from Europe will have to commit to comply with decisions by European Data Protection Authorities (DPAs).
- Clear safeguards and transparency obligations on U.S. government access: The U.S. has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.
- Effective protection of EU citizens’ rights with several redress possibilities: Citizens who believe that their data has been misused will have several redress possibilities under the new arrangement. Companies will have deadlines to reply to complaints and European DPAs will be able to refer complaints to the Department of Commerce and the Federal Trade Commission. Alternative Dispute resolution will be free of charge. A new and independent Ombudsperson will manage citizen complaints regarding possible access by national intelligence authorities.
Has Privacy Shield Replaced Safe Harbor?
No. Although the announcement of a renewed commitment between the U.S. and EU is promising, Privacy Shield has several procedural hurdles to overcome before adoption and, even then, may still be challenged in European courts. The post-Schrems decision regulatory framework for transatlantic data transfer remains unchanged and uncertain. Put simply:
- Safe Harbor is invalid and any data transfers that rely on this mechanism violate EU law
- Binding corporate rules, standard contractual clauses, and ad hoc contracts or intra-group data transfer agreements continue to be valid mechanisms for transatlantic data transfers
Early this week, Commissioner Jourová announced that the Privacy Shield text will be unveiled in the second half of February. The Article 29 Working Party, whose primary objectives include providing expert opinions on questions of data protection from the member state level to the European Commission, will advise the Commission on the adequacy decision and is expected to weigh in on the text by the end of March.
For our part, we will continue to monitor developments as they unfold and will provide a more detailed analysis of the Privacy Shield agreement once it has been released to the public.