United States and European Union officials have reached a last-minute agreement in an attempt to salvage the US-EU Data Transfer Safe Harbor, nearly four months after the European Court of Justice issued an opinion undermining the US-EU Safe Harbor Framework and US companies’ ability to rely on the mechanism. For months, US companies have been grappling with the uncertain status of the US-EU Safe Harbor, the loss of which could prevent the free flow of data belonging to European citizens into the United States.
Safe Harbor provides a mechanism by which US companies operating in EU countries could transfer personal information of EU citizens to the United States without running afoul of European privacy laws. EU Commission Decision 2000/520 of July 26, 2000 (“Decision 2000/520”), essentially provides that US laws, buttressed by the Safe Harbor Privacy Principles, provide an adequate level of privacy protection such that transfer of personal data from EU countries to the US (if the recipient company agrees to comply with the Safe Harbor Privacy Principles) is not prohibited. In early October, the European Court of Justice invalidated Decision 2000/520 in Maximillian Schrems v. Data Protection Commissioner on the basis that the US government’s mass surveillance practices, against which even companies compliant with Safe Harbor Privacy Principles could not protect data in their possession, were incompatible with EU rights to privacy. To read more about the Schrems case, please see our earlier Client Alert, “US Safe Harbor Not Safe from EU Court Ruling.”
Since the Schrems decision, the European Commission and the US State Department have been furiously negotiating to devise an alternative to the invalidated Safe Harbor to prevent data commissioners in EU countries from levying enforcement actions against US companies, which would effectively force trans-Atlantic data transfers to grind to a halt. European and US officials have revealed the terms of an agreement just in time—a group of EU data commissioners are meeting on February 2nd and 3rd to discuss enforcement actions and the restriction of US companies’ use of alternatives to Safe Harbor.
The main tenets of the new US-EU Safe Harbor, referred to as the EU-US Privacy Shield, are:
- The US will create a new ombudsman within the US State Department to receive complaints from EU citizens about unauthorized access to their data
- The US Federal Trade Commission will work with EU data protection agencies on complaints, with arbitration as a final method of resolution
- The US Office of the Director of National Intelligence will commit in writing that Europeans’ personal data will not be subject to indiscriminate mass surveillance
- The European Commission and the US Department of Commerce will review the system annually
- Companies will face sanctions and exclusion from the Safe Harbor system for violations of the applicable rules