Key Notes:

  • U.S. and EU agree on new framework for data transfer to replace invalid Safe Harbor.
  • New framework imposes stringent obligations on participating companies and U.S. government agencies.
  • EU citizens will have means of redress for alleged violations by companies and U.S. government agencies.
  • More details to come.

Since the European Court of Justice invalidated the legal basis for the EU/U.S. Safe Harbor framework in its Schrems decision, there has been great uncertainty as to how U.S. companies could receive and process EU nationals’ personal information. Now there has been progress in clarifying that landscape. On February 2, 2016, the European Commission announced that it reached an agreement with the United States on a new framework to cover cross-border flows of personal data that replaces the former Safe Harbor framework. As we discussed in a prior Privacy & Cybersecurity Update, until the court’s decision, the Safe Harbor provided the primary means for companies to share European citizens’ data with their U.S.-based operations and business partners.

According to the European Commission, the new framework, known as the EU-U.S. Privacy Shield, will:

  • Impose strong obligations on companies handling EU citizens’ personal data. The Privacy Shield will require U.S. companies handling EU citizens’ personal data to commit to “robust obligations” on how that data is handled and individual rights are protected. U.S. companies will be required to publish these commitments, making them enforceable by the U.S. Federal Trade Commission (FTC). In addition, companies handling human resources data from Europe must commit to comply with decisions issued by EU data protection authorities.
  • Provide transparency and safeguards regarding U.S. government access to personal data. For the first time, U.S. authorities have provided the EU with written assurances that government access to personal data for law enforcement and national security purposes will be subject to “clear limitations, safeguards and oversight mechanisms.” Under the Privacy Shield, such access will only be used to the extent necessary and proportionate, meaning that indiscriminate mass surveillance of data transferred under the framework will be prohibited. There will also be an annual joint review by the European Commission and the U.S. Department of Commerce to monitor the new framework’s functioning.
  • Offer effective protection of EU citizens’ rights including several means of redress. Any EU citizen who believes his or her data has been misused under the new framework will have several means of redress. Companies will have deadlines to respond to complaints, and EU data protection authorities can refer complaints to the U.S. Department of Commerce and FTC. In addition, the new framework provides for a new ombudsperson to address complaints involving alleged violations by national intelligence authorities.

At present, only a broad outline of the Privacy Shield is available.