Two days after the original January 31 deadline, the European Union and United States have announced a replacement for the Safe Harbor agreement — the EU-U.S. Privacy Shield — which, if approved, will provide a new framework under which U.S. companies can transfer personal data from the EU to the U.S. under the EU Data Directive. The specific text of the Privacy Shield has not yet been released, and the agreement must still be approved on both sides of the Atlantic, which could take a few months, but some details of the historic arrangement have begun to emerge. Overall, the agreement seeks to balance the fundamental right of privacy of EU residents with the needs of the U.S. intelligence committee while also creating a workable system for U.S. companies.
As we reported in the October 2015 edition of our Privacy and Cybersecurity Update, the Court of Justice of the European Union invalidated the then-current Safe Harbor framework agreement between the EU and U.S. The framework had allowed companies to transmit personal information from the EU to the U.S., despite the European Union’s assessment that the United States does not have “adequate” data protection laws in place. In its Schrems decision, the court declared found that the existing framework did not adequately protect the interests of data subjects. Following the decision, the Article 29 Working Party, which is comprised primarily of representatives from the data protection authorities of each EU member state, and which generally seeks to coordinate data protection efforts in the EU, set a deadline of January 31, 2016, for agreement on a new Safe Harbor framework. According to the statement, if the deadline were missed, and if EU regulators determined that the other mechanisms do not afford adequate data protections, national authorities would take “all necessary and appropriate actions” to protect personal data.
The Privacy Shield
The U.S. Department of Commerce has indicated that the Privacy Shield was crafted very much with the Schrems decision in mind, and sought to address the court’s concerns that led to invalidating the Safe Harbor. The central focus of the Schrems decision was not so much the use of personal data by companies, but rather the ability of the U.S. government to access such data and the lack of recourse available to EU residents. The Privacy Shield creates greater U.S. oversight, including a larger role for the FTC and the creation of a State Department “ombudsman” to oversee access to personal data by the U.S. intelligence community for surveillance purposes and review complaints by EU residents. The U.S. Office of the Director of National Intelligence also will provide written assurances that access to personal data for surveillance purposes will be limited and proportionate.
EU residents will have a variety of means to file complaints about access to and use of their data. For example, companies will now have to offer access to free alternative dispute resolution mechanisms to address issues that arise. European Data Protection Authorities could also refer complaints directly to the Department of Commerce or the Federal Trade Commission.
In addition, the European Commission and U.S. Department of Commerce will revisit the Privacy Shield each year to confirm it continues to address EU privacy concerns.
We expect that, in the coming days, the text of the Privacy Shield will be released, and the somewhat extended process will commence of approving the agreement in the EU. While approval is likely, privacy advocates have already begun to attack the deal for being too weak. No guidance has yet been provided as to whether companies that certified to the Safe Harbor in the past will be able to easily transition to the Privacy Shield or, rather, will need to start a whole new process. Companies should also keep in mind that the Privacy Shield will not be the only means to send personal data from the EU to the U.S., as the “model contract” regime remains in place.