Only 2 days after the grace period set by the representatives of the national data protection authorities (DPAs) ended on January 31, 2016, the EU Commission announced that the US government and the EU College of Commissioners reached an agreement regarding the replacement of the invalidated Safe Harbour framework.
To recap, the US/EU Safe Harbour Framework setting the legal basis for the transatlantic data flow was declared void by the ECJ's ruling of October 6, 2015. In the aftermath of the ruling the representatives of the national DPAs declared that the US and EU would have to find a new arrangement until the end of January 2016. Without a new framework in place by then, the national DPAs would be ready to take all necessary and appropriate actions, including coordinated enforcement procedures against companies violating European data protection rights when transferring data across the Atlantic.
Yesterday, February 2, 2016, the negotiating parties announced that they had agreed upon a replacement for Safe Harbour: Future transatlantic data flows shall be based on the EU-US "Privacy Shield". The details of the deal have not yet been published; however the arrangement shall aim to implement the requirements set by the ECJ's ruling on Safe Harbour by:
- obliging US companies which intend to import data from the EU to provide strong commitments: the US companies' commitments shall be published and shall be enforceable under US law by the US Federal Trade Commission. In case of processing human resources data from the EU, the US-based company will have to comply with decisions of the European DPAs.
- protecting EU citizens' rights effectively with several redress possibilities, which will introduce a new Ombudsman.
- providing clear safeguards and transparency obligations regarding US government access, which will for example prevent the US government from "indiscriminate mass surveillance" in respect of personal data from the EU.
Next Action Points:
Now, it is up to the EU Commission to draft a new "adequacy decision" and, after consulting the representatives of the national DPAs and the Member States, to adopt it. In this context it may be expected that the new framework will be subject to scrutiny by national DPAs and hence the text may still change at that point.
The time for the implementation is estimated at three months. Until the new framework comes into force companies must continue to rely on alternative legally valid means, such as for example the EU Standard Contractual Clauses or Binding Corporate Rules, when transferring personal data from the EU to the US.