Negotiators from the U.S. and the European Union (EU) announced Tuesday that they have agreed on a new framework for online data flows between the U.S. and Europe to replace the “Safe Harbor” pact that was invalidated by the European Court of Justice (ECJ) last year. Tuesday’s agreement was completed one day after the ECJ’s official deadline for replacing the Safe Harbor accord, which was initially adopted in 2000 to facilitate the transference of data from EU countries to the U.S. Although the Safe Harbor agreement was premised on the notion that any data transferred outside of the EU to the U.S. would be treated with the same privacy protections given to data that is stored or moved within EU borders, the ECJ invalidated the pact last October on grounds that these and other privacy guarantees were insufficient.
Known as the Privacy Shield, the new agreement addresses the ECJ’s concerns by requiring U.S. companies to commit to “robust obligations on how personal data is processed and individual rights are guaranteed” when importing online personal data that originates in EU member states. In addition to prescribing new mechanisms for monitoring and enforcement by the U.S. Commerce Department and the Federal Trade Commission (FTC), the Privacy Shield also includes written assurances that government access to online personal data for purposes of law enforcement and national security “will be subject to clear limitations, safeguards and oversight.” Redress options will be provided to EU citizens who believe their personal data has been misused, and EU digital rights authorities will have the right to refer complaints to the Commerce Department and FTC. The pact remains subject to ratification by the EU member states.