The European Commission has announced an agreement today with the United States Department of Commerce (DOC) to replace the invalidated Safe Harbor agreement on transatlantic data flows with a new EU-U.S. “Privacy Shield.” The Privacy Shield aims to address the requirements set out by the European Court of Justice in its Oct. 6, 2015 ruling by imposing stronger obligations on companies, providing stronger monitoring and enforcement by the DOC and Federal Trade Commission (FTC), and making commitments regarding access to information on the part of public authorities. In announcing the agreement, Vice-President Ansip noted his belief that the Privacy Shield will benefit both European businesses and citizens, and will prove to be a “much better” solution for transatlantic data flows. Below are three highlights that have been publicly announced by the parties thus far:

  • First, Privacy Shield will create several possible mechanisms for consumer protection and redress. Organizations using the Privacy Shield will be expected to resolve any issues directly with EU consumers, and will be faced with deadlines for responding to complaints. Alternatively, EU consumers may reach out to the appropriate data protection authority, which will then work with the FTC to ensure that complaints by EU citizens are investigated and resolved within a reasonable time frame. As a last resort, parties may engage in an alternative dispute resolution process. Finally, with respect to complaints relating to access by U.S. public officials, Privacy Shield will create an ombudsperson in the U.S. State Department to review national security complaints referred by European Data Protection Authorities.
  • In the area of national security and government access to data, in connection with the Privacy Shield, the United States has provided the EU written assurances that access to information by public authorities will be subject to clear limitations, safeguards, and oversight mechanisms. In a press conference announcing the agreement, Věra Jourová, EU Commissioner in charge of Justice, Consumers and Gender Equality, highlighted these “binding assurances” given by the U.S. regarding “clear limitations” on national security access, and noted that the U.S. commitments would be subject to an annual joint review by the European Commission and the DOC, as well as national intelligence experts from the European Data Protection Authorities.
  • On enforcement monitoring generally, the European Commission and Department of State will engage in a joint annual review to monitor the functioning of the agreement. The annual review process will facilitate opportunities for the EU and U.S. to adjust the agreement in response to changing political and technical developments. According to Jourová, the Department of Commerce and FTC also have committed to performing more frequent compliance reviews of companies using the Privacy Shield, and to implement sanctions against those failing to meet their obligations.

Jourová separately noted what she believed to be the three main achievements of Privacy Shield in strengthening protection for EU citizens’ data:

  1. Greater safeguards and transparency obligations regarding U.S. government access to data
  2. Redress mechanism for EU citizens in the area of national security
  3. Stronger conditions for companies handling personal data of EU citizens

Next Steps

At the press conference announcing the agreement, Commissioner Jourová expressed her belief that the Privacy Shield agreement would be implemented within the next three months. According to Jourová, the Commissioner will work to draft an adequacy provision for adoption in the next few weeks and, in parallel, the U.S. Department of Commerce will work to implement the agreed-upon mechanisms. Both Commissioner Jourová and Vice-President Ansip expressed their belief that the new Privacy Shield solution would be able to withstand future challenges but that, as the agreement provides for a “living” scheme, the practical work behind the arrangement was just beginning. Once in place, the Privacy Shield is expected to be a viable mechanism to rely on for the purposes of transatlantic data flows. But, in the meantime, it is still necessary to be in a position to legitimize such data flows through alternative legally valid means.

Julian Flamant in our Washington, D.C. office contributed to this entry