In a long-awaited and much-anticipated announcement, the U.S. Department of Commerce and the European Commission (the “Commission”) declared on February 2, 2016, that they had struck a deal on a new cross-border data transfer framework. The new framework will replace the U.S.-European Union (“EU”) Safe Harbor Framework, invalidated by the European Court of Justice (“ECJ”) on October 6, 2015. As the details of the new framework remain sketchy, the implications for U.S. multinational employers remain unclear. Nonetheless, U.S. multinational employers should consider the recommendations described below while awaiting more details.
Shortly after the ECJ issued its landmark decision invalidating the Safe Harbor, the group of European data protection regulators from each of the 28 Member States, known as the Article 29 Working Party (the “Working Party”), issued a veiled ultimatum. If the Commerce Department and the Commission did not reach agreement on a replacement framework by January 31, 2016, the Working Party would consider enforcement actions against those U.S. organizations that had certified to the Safe Harbor but did not implement an alternative data transfer mechanism before that date. In mid-January, the Working Party sent a message to negotiators by scheduling a meeting for February 2, 2016.
During the period of extreme uncertainty between the ECJ’s decision on October 6, 2015, and January 31, 2016, many U.S. multinational employers that are certified to the Safe Harbor scrambled to implement the one mechanism for lawful data transfers that could be implemented in such a short time period. This mechanism is a form data transfer agreement previously approved by the Commission, known as the “standard contractual clauses” (the “Clauses”). Other U.S. multinational employers took a wait-and-see approach.
The January 31, 2016, quasi-deadline came and went, elevating stress levels for those responsible for data protection compliance. Then, on February 2, 2016, before the Working Party could call for mass enforcement actions, the Commission and Commerce Department announced their deal. The Working Party has not yet reacted publicly to the new framework, but it likely will soon release a public statement.
The Outlines of the New Framework
While U.S. multinational employers generally greeted the announcement with cheers and a sigh of relief, the Commission and Commerce Department have revealed only the following outline of the new framework:
- The new frame work is called the “Privacy Shield.”
- U.S. companies certifying to the Privacy Shield “need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.”
- The Commerce Department will monitor that certifying companies publish their privacy commitments, and the Federal Trade Commission will enforce them.
- Certifying companies must attempt to resolve complaints from EU citizens within a specified time period. EU citizens can submit unresolved complaints to EU data protection authorities and, if necessary, can demand binding arbitration at no cost to them.
- Certifying companies that rely on the Privacy Shield to transfer human resources data must agree to comply with decisions issued by European data protection authorities (DPAs).
- The U.S. provided written assurances that access to E.U. personal data by U.S. intelligence and law enforcement agencies will be tightly controlled and will be subject to annual joint review.
- An ombudsman will resolve complaints from EU citizens concerning alleged violations of their rights by U.S. intelligence and law enforcement agencies.
Recommendations for U.S. Multinational Employers
U.S. multinational employers should be cautiously optimistic. Notwithstanding the new name, the Privacy Shield looks very similar to the Safe Harbor insofar as the transfer of EU employees’ personal data within a corporate group is concerned. That said, U.S. multinational employers should consider taking the following steps:
- Watch for Developments from the Commission: While its rough framework is similar to the Safe Harbor, the Privacy Shield, in its details, may impose significantly greater compliance burdens or trigger materially increased enforcement risk. Understanding the details of the Privacy Shield will be critical to assessing an organization’s best course of action for lawfully transferring EU employees’ personal data to the U.S. The Commission likely will publish more details in the near future.
- Watch for Developments from the Working Party and European (local) Data Protection Authorities: The Working Party could throw a wrench in the deal by declaring its view that the Privacy Shield does not adequately protect EU personal data and/or will issue guidelines how certain terms have to be interpreted. Even if the Working Party embraces the outline of the Privacy Shield, it could set another deadline after which enforcement will commence to spur finalization of the Privacy Shield and will likely give the Privacy Shield a dynamic element by continuously issuing decisions as to the interpretation of certain terms. Also, European (local) DPAs may add their interpretations as well. US multinational employers will have to monitor compliance with the decisions of the European DPAs and adapt their data protection approach on a continuing basis.
- Continue to Comply with the Safe Harbor: Employers who certified to the Safe Harbor have an ongoing obligation to handle EU employees’ personal data in accordance with the Safe Harbor or more stringent privacy principles — even after the Safe Harbor is formally replaced. In addition, the Privacy Shield likely will rely — at least initially — on the “old” Safe Harbor platform. Relatedly, the Commerce Department likely will provide a simplified mechanism — again, at least initially — for organizations on the Safe Harbor list to transition to the Privacy Shield.
- Evaluate Standard Contractual Clauses: Once its details are published, the Privacy Shield may turn out to be less business-friendly than the Safe Harbor. As a result, the Clauses could end up being a more attractive method for legitimizing cross-border data transfers. In addition, the Working Party or individual Member State data protection authorities may take the position that U.S. employers still must implement an alternative to Safe Harbor until the Privacy Shield goes into effect. Consequently, U.S. multinational employers who have transitioned to the Clauses, or who are in the process of doing so, will not see their efforts go to waste.