European Commission (EC) and U.S. Department of Commerce (DOC) negotiators have reached a deal to implement a new U.S.-EU Safe Harbor Framework: the EU-U.S. Privacy Shield (what had informally been called "Safe Harbor 2.0"). This deal was fervently sought after the European Court of Justice's (ECJ) decision in Schrems v. Data Protection Commission, Case C-362/14 (Oct. 6, 2015) (see our posts here and here), which deemed the previous Safe Harbor Framework inadequate and concluded that Data Protection Authorities (DPAs) could independently evaluate whether EU citizens' right to privacy would be protected by the Safe Harbor.
Key points of discussion in the closing days included the availability of redress for EU citizens in U.S. courts and other governmental bodies, and vice versa. Legislation currently making its way through Congress would explicitly give European citizens the right to seek redress in U.S. courts. Negotiators also debated the authority of DPAs to use their enforcement powers under the new agreement. The Privacy Shield includes requirements for strong protection and robust enforcement; clear safeguards and transparency obligations for U.S. government access; effective protection of EU citizens' rights with options for redress, including enforcement by DOC and the Federal Trade Commission (FTC); and the creation of an Ombudsman to handle complaints about access by U.S. intelligence agencies. Notably, under the deal:
- Companies handling employee data must commit to comply with Europe and DPAs' decisions.
- U.S. law enforcement and national security access to EU citizens' personal data will be the exception, and "must be used only to the extent necessary and proportionate"; annual joint review of this arrangement will be held.
- European citizens will have redress for alleged misuse of their data through new obligations of companies to respond to complaints and through no-charge alternative dispute resolution, among other routes.
The new Privacy Shield will allow companies to continue to transfer data between the U.S. and the EU, benefitting both companies who operate predominantly online (such as social media platforms and search engines) and traditional companies, many of which are concerned mostly with transferring employee or customer data around the world. Beneficiaries should include not only many multinational companies in sectors ranging from the chemical industry to consumer product companies to brick-and-mortar retailers, but also many supporting service providers and others who signed up for the Safe Harbor. At the EC's insistence, the agreement also aims to limit how U.S. intelligence agencies collect data on Europeans when their personal information is sent to the U.S.
Several steps remain before the Privacy Shield is formally adopted. The College of Commissioners directed Vice-President Andrus Ansip and Commissioner Věra Jourová to prepare a "necessary adequacy decision" in coming weeks, for approval by the College. That process contemplates obtaining input from the Article 29 Working Party and a committee of Member States' representatives. Separately, the U.S. will be setting up the mechanisms for the framework, monitoring mechanisms, and new Ombudsman. The timing of the deal is no surprise, since a committee of EU DPAs, the Article 29 Working Party, is set to release recommendations on data transfers between the U.S. and the EU tomorrow, Wednesday, February 3, 2016. The deal has been crafted to ensure maximum support from key stakeholders in the EU.
The negotiating team on the U.S. side was comprised of representatives from DOC (including the general counsel), the FTC, and members of the intelligence community. On the European side, negotiators included representatives from the EC and DPAs. Commerce Secretary Penny Pritzker spoke multiple times with her counterpart, Commissioner Jourová.
Assurances from DOC representatives indicated that the 4,400+ companies already transferring data as Safe Harbor-ites would have some defined pathway to transition into participation in the Privacy Shield. Broader implications of the deal for other current adequacy mechanisms, like model contracts and binding corporate rules, that were cast in doubt by the Schrems decision have yet to be determined.
This deal, though welcome, is emblematic of a new, post-Snowden phase in the realm of international privacy and data transfers. Opposition to broad surveillance of mass citizenry has grown among the public in Europe and the U.S., with significant animus and distrust directed at the U.S. intelligence community in particular. In Europe, this has translated into a distrust of American companies at a time when European businesses are fighting global dominance by U.S. tech, search, and social media firms. An approved deal is only the start of a restoration of that trust, and there are still many steps that must be taken before final approval and implementation. Companies operating on both sides of the Atlantic and around the world should view the EU-U.S. Privacy Shield as a signal that regulators recognize the importance of global data flows to a strong economy, and the need to balance privacy rights with national security interests and practical business realities.