After nearly four months of diplomatic discussions, negotiators reached agreement on February 2, on how the U.S. and the European Union share data across the Atlantic.  The new agreement, called the EU-U.S. Privacy Shield, replaces the EU-U.S. Safe Harbor, which allowed U.S. companies to transfer personal data of European citizens to the United States if those companies promised to provide privacy protections equivalent to those in the EU.   

The European Court of Justice (ECJ) invalidated the Safe Harbor on October 6, 2015 because of concerns about the rights of Europeans to their personal data and potential exposure to surveillance by U.S. Intelligence Agencies.  These concerns arose when Max Schrems, an Austrian law student, filed a complaint with the ECJ, prompted by the spying revelations made by Edward Snowden.

The new Privacy Shield contains several important provisions that U.S. and European officials expect will extinguish the risk of costly litigation by consumers worried about their privacy, including:

  • Stronger obligations on U.S. companies to protect Europeans’ personal data. Companies handling Europeans’ personal data must commit to robust obligations on how personal data is processed and individual rights are guaranteed.  The U.S. Department of Commerce will ensure that these companies publish their commitments, thereby making them enforceable under U.S. law by the Federal Trade Commission.

  • Limitations on the ability of the U.S. Government to access and use personal data.  A top U.S. official must send a signed letter pledging that the U.S. will avoid “indiscriminate mass surveillance” and that government access to personal data for law enforcement and national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms.  The European Commission and the U.S. Department of Commerce will conduct an annual joint review to monitor the functioning of this arrangement, and will invite national intelligence experts from the United States and the European Data Protection Authorities to participate.

  • Redress for European citizens.  Individuals can raise complaints with European Data Protection Authorities, who can in turn refer complaints to the U.S. Department of Commerce and the Federal Trade Commission.  U.S. companies have deadlines to reply to any complaints received, and alternative dispute resolution will be offered free of charge. A new, dedicated Ombudsperson will be appointed within the U.S. government to address complaints concerning possible access by national intelligence authorities.

U.S. Commerce Secretary Penny Pritzker stated that the U.S. Department of Commerce will soon be offering a series of briefings for companies on the details of the Privacy Shield and what they need to do to comply with new requirements.  She also noted that there will be a period of transition to allow companies to undertake compliance efforts.

Over the next several weeks the European Commission and U.S. will secure final political approval and begin making the necessary preparations to put in place the new framework, monitoring mechanisms, and new Ombudsperson.

For now, U.S. companies that process personal data on Europeans should continue to monitor the final approval process and prepare for reviewing the published EU-U.S. Privacy Shield framework to determine the appropriate steps necessary to comply.

For more information about the new EU-U.S. Privacy Shield, please see the press release from the European Commission here.