Politicians in both the European Union and United States touted Tuesday’s agreement on a new “Privacy Shield” for EU-U.S. data transfers as a resolution to the data transfer quagmire that has faced companies since the EU-U.S. Safe Harbor was invalidated in October. While this new deal is a promising step in the right direction for companies that transfer data from the EU to the United States, there are still many questions about exactly what the requirements of the new Privacy Shield will be, how an American company can ensure compliance with those requirements and (perhaps most importantly) whether the European Court of Justice will validate the new rules.
Indeed, the deal heralded by politicians on both sides of the Atlantic appears to be only a high-level agreement—they expect to document the actual terms over the next few weeks (the Article 29 Working Party (WP29), the body made up of representatives of individual European Member States’ data protection authorities, has called for it to be fully documented by the end of February). Thus, we anticipate quite a bit more negotiation on the precise scope and language of the requirements. Meanwhile, WP29, which had been assessing data transfer mechanisms like standard contractual clauses and model contracts for possible flaws that would lead to enforcement actions, announced that it will not take enforcement actions based on its concerns about these mechanisms while it awaits the details of the new transfer deal.
For the moment, this is what we know about the primary elements of the Privacy Shield:
- Increased monitoring and enforcement in the United States to be carried out by the Commerce Department and the Federal Trade Commission, including access for Europeans for judicial redress in the United States
- Multiple channels for European data subjects to raise complaints about data misuse, including through the companies handling the data or through a newly created “privacy ombudsman for national security”
- Commitments from the United States government about the increased safeguards and limitations to prevent access to transferred data by U.S. law enforcement and intelligence officials
- Joint annual review of the Privacy Shield agreement
Again, though, it is by no means clear whether this new arrangement will meet with approval of European data protection authorities. Although WP29 has suspended enforcement for now, its leadership has expressed concerns about the enforceability of promises from the U.S. government (particularly the outgoing Obama administration) made only in an exchange of letters. And even if the data protection authorities approve, it is always possible that the Privacy Shield could be subject to a challenge in European courts by a concerned consumer—as was the Safe Harbor previously.
Assuming the Privacy Shield gets past these hurdles, it’s not yet clear as a practical matter what a company hoping to transfer EU data will need to do to comply. Presumably that will be spelled out more clearly when the full terms of the agreement are reduced to writing. Right now, most of the publicized details relate to additional restrictions and responsibilities imposed on the U.S. government.