On October 6, 2015, the European Court of Justice (CJEU) invalidated the Safe Harbor framework between the United States and the European Union, putting at risk the legality of trans-Atlantic data transfers. Businesses and policy makers questioned how-and whether-"Safe Harbor 2.0" would be successfully negotiated. Earlier this week, on February 2, 2016, a new framework, the EU-U.S. Privacy Shield (the "Privacy Shield"), was announced.
In response to the concerns that initially invalidated the Safe Harbor, the Privacy Shield proposes to impose upon U.S. companies increased obligations to protect the personal data of Europeans, with more robust monitoring and enforcement by the U.S. Department of Commerce and the Federal Trade Commission (FTC), and cooperation with European Data Protection Authorities (DPAs). Moreover, companies that import human resources data will be required to comply with European DPA decisions. European citizens will also have avenues for redress, with clear rules for companies to respond to complaints, potential involvement by European DPAs, U.S. Department of Commerce, and FTC, as well as the ability to raise concerns about national intelligence authorities with a dedicated Ombudsman in the U.S.
Further, the U.S. has promised a written statement that it will not engage in indiscriminate mass surveillance on personal data transferred to the U.S., one of the leading factors behind the invalidation of the Safe Harbor. The U.S. has made additional assurances regarding clear limitations, safeguards, and oversight mechanisms on law enforcement and national security surveillance. According to the Privacy Shield, the EU and U.S. are to review this agreement annually.
In return, companies that honor their obligations under the Privacy Shield would be permitted to transfer data from the EU to the U.S., if the Privacy Shield is approved and if implementing rules are drafted and go into effect (as they are tentatively slated to do in April 2016).
Rules are to be finalized and are slated to go into effect in April. However, the Privacy Shield still faces significant hurdles, including the drafting of an "adequacy decision" in the EU to be adopted by the College of Commissioners, with input from the Article 29 Working Party and representatives of the Member States. In the U.S., the structure for implementing the Privacy Shield will need to be built, including naming an Ombudsman and establishing an alternative dispute resolution system. Meanwhile, the Privacy Shield faces sharp criticism that it does not adequately address the concerns in the CJEU's order that struck down the Safe Harbor in the first place. Consumer and privacy groups have threatened legal challenges.
In the interim, U.S. companies doing business in the EU must continue to grapple with the uncertainty. In the absence of clear regulations, companies that participated in Safe Harbor should continue to honor the privacy commitments they made under that agreement inasmuch as the Privacy Shield, at least at this stage, appears to impose some similar restrictions. US companies should also continue to review the sources and types of information they (and their vendors) collect, store, and transmit and consider ways to avoid unnecessary transfers of personal data. That said, any transfer of personal data should be encrypted before it leaves the EU since EU data protection regulations concern only transfers of data in personally identifiable form. Finally, companies should regularly check in with their privacy and data protection lawyers to make sure they are doing everything they are required to do under this potential new framework.