On February 2, 2016, the European Commission announced a new trans-Atlantic data transfer agreement with the United States. The EU-U.S. Privacy Shield replaces the U.S.-EU Safe Harbor, which was invalidated by the European Court of Justice in October 2015. The EU-U.S. Privacy Shield re-establishes protections for companies that wish to transfer data from the EU to the United States, provided such companies comply with additional regulations.

Background

EU law requires that transfers of personal data to a third country may occur only if the third country ensures adequate protection of that data. On October 6, 2015, the European Court of Justice issued a ruling invalidating the European Commission’s long-standing determination that the United States has adequate data protection. In the wake of that ruling, the authorities in charge of enforcing the EU’s data transfer laws announced an enforcement moratorium until January 31, 2016, providing time for the U.S. and EU to reach a new agreement.

The U.S.-EU negotiations focused on the October 2015 concerns expressed by the European Court of Justice, including the need for:

  • Additional data security measures by U.S. companies to protect data from outside sources, including U.S. government surveillance practices.
  • Greater transparency of any data provided to the U.S. government or other entities.
  • Clearer mechanisms for EU citizens to enforce their privacy rights against U.S. companies and the U.S. government. 

What This Means to You

The full text of the new framework has not yet been released due to ongoing approval processes within the EU. It is clear, however, that the EU-U.S. Privacy Shield will involve new data security requirements for companies that wish to use the agreement to transfer personal data from the EU. One of the primary changes will involve the addition of multiple channels for EU citizens to seek redress for privacy violations. These channels include alternative dispute resolution and, as a matter of last resort, binding arbitration proceedings between EU citizens and the companies from which redress is sought.  

EU data protection authorities will be authorized under the EU-U.S. Privacy Shield to suspend data transfers by companies not compliant with the EU’s data transfer laws. Once the full text of the EU-U.S. Privacy Shield is released, companies that relied on the original Safe Harbor Framework for data transfers should promptly review their policies and procedures for compliance with new requirements.

Read the European Commission press release.