It’s been four long and confusing months since the European Court of Justice (“ECJ”) invalidated the EU-US Safe Harbor Framework on which so many companies relied for transferring data out of the EU and Switzerland (explained in the opening paragraphs here) and, finally, an agreement for a new framework appears to have been reached.
There’s still a lot of dark tunnel to walk through before companies will be able to put concrete compliance strategies in motion, but yesterday afternoon a small light started to flicker at the tunnel’s far end as a subgroup of the European Commission approved what for now is being characterized as a “political agreement.” The official press release can be found here.
While short on details for now, we do know a few key data points already. The new arrangement, named the EU-US Privacy Shield:
- is designed to withstand the scrutiny from the ECJ that killed the old Safe Harbor.
- will be more of a “living” framework than was the old agreement, and thus reviewed and modified periodically.
- appears, for now, to be focused more on redress of perceived harms from surveillance activity by the U.S.
- government than commercial activity (e.g., the U.S. gave written, binding assurances that public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms to avoid indiscriminate surveillance of EU citizens).
- has several mechanisms for handling complaints by EU citizens against the U.S. and U.S. companies, including stricter deadlines and more formalized processes.
- requires the U.S. government to create a new ombudsperson position to handle complaints involving improper access by national intelligence authorities.
- requires that, with respect to human resources data, companies must comply with decisions of the respective European Data Protection Authorities.
There are a number of steps that still must be taken, not only among the negotiating parties, but also within the European Commission legislative process, before we will have real answers—and there’s some chance we may not even get that far. Advocacy groups in Europe and here at home are already complaining that the Privacy Shield does not go far enough. But for now, some light should be viewed as better than none, and companies probably can safely continue along the same lines as discussed in our prior alert (found in the final paragraphs here).