On Tuesday, the European Commission and the United States reached an agreement to reinstate the free flow of data between companies in the U.S. and the EU. This new framework, rebranded as the “EU-U.S. Privacy Shield,” is intended to safeguard users’ privacy at a new level. The College of Commissioners approved the political agreement and has mandated Vice-President Ansip and Commissioner Jourová to move forward with steps to put in place the new arrangement, according to the press release from the European Commission.
The impetus to structure a new data-sharing arrangement began when the Court of Justice of the European Union (“CJEU”) struck down the 15-year old Safe Harbor agreement on October 6, 2015 in Maximillian Schrems v Data Protection Commissioner (Case C-362/14). In his case, Mr. Schrems argued that in light of Edward Snowden's revelations about the NSA, the data he provided to Facebook that was transferred from the company's Irish subsidiary to the US under the Safe Harbor scheme was not, in fact, safely harbored. In its ruling, the CJEU cited concerns that the NSA’s indiscriminate overseas surveillance interfered with the “fundamental rights” of its citizens, whose data it has the responsibility to protect.
While many stakeholders celebrated the news, others were quite a bit more skeptical of its success and said they would reserve final judgment until the agreement is formally spelled out on paper, which could take weeks or months. Jan Philipp Albrecht, MEP for Germany, serving on the Committee on Civil Liberties, Justice, and Home Affairs was particularly harsh, calling it “an affront to the European Court of Justice” that “foresees no legally binding improvements” to American or European spying laws.
The Article 29 Working Party (“WP29”), a data protection authority set up by the European Parliament, said on Wednesday that it is pleased the negotiations have concluded and “looks forward to receiving the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by Schrems judgment as regards international transfers of personal data,” according to their press release. The WP29 also expressed concerns about the commitment of the United States and the current U.S. legal framework regarding relevant legal remedies available to all people.
EU-US Privacy Shield – The New Arrangement
The new arrangement will include the following elements:
- Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
Vice-President Ansip and Commissioner Jourová will prepare a draft “adequacy decision” in the next few weeks. Both the WP29 and a committee of representatives of member states will be consulted before the decision is presented to the College of Commissioners for adoption. During this time, the U.S. is expected to make the necessary preparations to implement the new framework, monitoring mechanisms and new Ombudsman.
How does this impact U.S. companies doing business in the EU?
Since the CJEU struck down the 15-year old Safe Harbor agreement on October 6, 2015, the thousands of businesses that were certified under the Safe Harbor scheme, and the thousands more that trade with those businesses and disclose personal data, have been left with little to no guidance on how to transmit and share data in a lawful and compliant way. Although this newly announced arrangement is a step in the right direction, there is still much more work to be done.
What is clear from the standards set forth thus far is that U.S. companies will be obligated to adopt stringent and robust safeguards and protocols for the transmission and processing of personal data and these safeguard and protocols will receive higher government scrutiny and regulation. U.S. companies are encouraged to conduct thorough assessments of current policies and procedures and follow developments closely in order to adopt and implement policies and procedures compliant under the new framework. Complying with the new framework for data transfer will be imperative for companies vying to be a top competitor in the global marketplace.
The international law, compliance, privacy, and data protection attorneys at FisherBroyles will continue to follow the progress of this matter and are available to work through the compliance needs and alternatives to Safe Harbor data transfers to those in need of advice and assistance.