Less than two days after an enforcement moratorium expired, U.S. and EU officials in transatlantic data transfer talks have reached a new “Privacy Shield” framework to replace the Safe Harbor regime struck down in the Schrems case last year. The new framework, also known as Safe Harbor 2.0, is expected to increase obligations on U.S. companies that handle the personal data of Europeans, while bringing stronger privacy enforcement by the U.S. Federal Trade Commission (“FTC”). The new Privacy Shield framework also includes new limitations on data surveillance by U.S. authorities, which had been a major sticking point during the negotiations.
As background, EU privacy law prohibits the transfer of personal data to U.S. organizations unless those organizations demonstrate an “adequate level of protection.” Until last year, the most common method to demonstrate this adequate level of protection was self-certification under the Safe Harbor principles, a standard administered by the U.S. Department of Commerce and enforced by the FTC. However, last October the European Court of Justice decided the Schremscase, which ended protected data transfers under the Safe Harbor principles and casted doubt on other data transfer mechanisms to the U.S. (namely, binding corporate rules and standard contractual clauses). Over the past three months, the U.S. Department of Commerce and the European Commission have been urgently trying to negotiate a replacement for the Safe Harbor regime. European regulators had agreed to an enforcement moratorium until the end of January to allow time for negotiations.
Even though Privacy Shield has now been announced as a replacement for Safe Harbor, the details of the new framework are still to be worked out. As such, it is too early to tell when it will be fully operational and how U.S. businesses will certify compliance with it. However, one thing that seems certain is that U.S. companies processing European personal data will have to agree to comply with decisions by European regulators in relation to that data. Already in Europe, some are calling the new Privacy Shield framework too weak, and the opinion of the EU’s numerous data protection regulators remains unknown. After the details are hammered out by the U.S. Department of Commerce and the European Commission, aspects of the new framework will doubtless come under scrutiny by EU politicians, regulators, and courts.
Though the Privacy Shield framework is still in its preliminary stages and much ambiguity remains, U.S. business should welcome these steps toward more certainly in a post-Schrems world. The sudden state of non-compliance with EU privacy rules that erupted after Schrems has been a key concern for global companies that rely on international data transfers. Many data-focused companies with data servers and data storage located in the U.S. relied on and invested heavily into the Safe Harbor regime before Schrems. Even global companies that do not deal in the commoditization of personal data relied on the regime to move personal information about employees, contractors, and vendors into and out of the EU.
Once Safe Harbor was gone, many companies decided to adopt the EU standard privacy clauses into their contracts and affiliate agreements as a substitute method of demonstrating an “adequate level of protection” for European personal data. However, this alternative is not guaranteed, as the EU standard privacy clauses are at risk of invalidation via an EU court challenge on the same grounds cited in theSchrems decision. Because of this uncertainty, many other companies previously reliant on the Safe Harbor regime have taken a wait-and-see approach over the past three months, and should be encouraged that this new Privacy Shield framework has come into clearer focus.
The European Commission is now expected to consider and prepare a draft adequacy decision regarding Privacy Shield over the next few weeks. Once completed, the final Privacy Shield framework will be voted on by the European Commission. A group of European data protection regulators followed the announcement of the Privacy Shield framework by saying that the group would not give any opinion on the legality of EU standard privacy clauses until spring. The end result of these Privacy Shield negotiations with the U.S. will not be an international treaty, but rather an agreement with the U.S. Department of Commerce, the finalization of which will not require congressional or presidential approval. However, the finalization of the Privacy Shield negotiations with the U.S. will most likely be followed by a court challenge against the new framework in the EU.