On February 2, the members of the European Commission approved a new framework for transatlantic data flows: EU-US Privacy Shield. The European Commission and the United States agreed to a deal that reflects the requirements set forth in the Court of Justice of the European Union’s (CJEU) October 6, 2015 decision declaring the old Safe Harbor framework invalid. The agreement aims to protect “fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” Specifically, the drafters of the new framework attempt to provide (i) robust obligations on U.S. companies to ensure that they are protecting Europeans’ personal data, such as strengthened monitoring by the Department of Commerce and the FTC and increased cooperation with European Data Protection Authorities; (ii) written commitments by the U.S. that “the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms”; and (iii) effective protection of Europeans’ rights regarding how their data is handled, including several redress possibilities and the creation of an Ombudsperson to whom they can raise inquiries or complaints. Commenting on the agreement, Commission Vice-President Ansip stated, “[t]oday’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US.” In the upcoming weeks, the U.S. will prepare to put in place the new framework while Vice-President Ansip and Commissioner Jourová prepare a draft “‘adequacy decision,’” which could be “adopted by the [Commission] after obtaining the advice of the Article 29 Working Party (WP29) and after consulting a committee composed of representatives of the Member States.”            

In a February 3 statement, the WP29 maintained that it has concerns regarding the current U.S. legal framework to protect non-U.S. persons’ data. While it recognizes recent efforts by the U.S. to improve protection of personal data to meet the four essential guarantees for intelligence activities, the WP29 emphasized it will need to “consider if its concerns regarding the U.S. legal framework can be alleviated following the introduction of the EU-US Privacy Shield . . . [and] analyse to what extent [the] new arrangement will provide legal certainty for the other transfer tools.”