Representatives of European Union (EU) member states voted last Friday to approve the “Privacy Shield” framework that will take the place of the previous U.S.-EU “Safe Harbor” agreement in governing online data transfers between the EU and the U.S.

Announced in February, the Privacy Shield bolsters data privacy protections contained in the 2000 Safe Harbor accord, which was invalidated last October by the European Court of Justice (ECJ).  Addressing flaws that the ECJ found in the previous Safe Harbor framework, the Privacy Shield requires U.S. companies to commit to “robust obligations on how personal data is processed and individual rights are guaranteed” when importing online personal data that originates in EU member states.  The Privacy Shield also includes written assurances that government access to online personal data for purposes of law enforcement and national security “will be subject to clear limitations, safeguards and oversight.”  Redress options will be provided to EU citizens who believe their personal data has been misused.  EU digital rights authorities will also have the right to refer complaints to the U.S. Commerce Department and Federal Trade Commission.  Commerce and data protection authorities in the U.S. and the EU will review the Privacy Shield on a yearly basis, and the U.S. will brief EU authorities on any changes to U.S. law which could impact the agreement. 

Late last month, in a move that facilitated Friday’s vote, the U.S. provided EU officials with additional details regarding the circumstances under which bulk data may be collected for purposes of protecting national security.  Although the pact remains subject to ratification by the European Commission, affected companies will be able to sign up for the Privacy Shield on August 1st once they have implemented technical and other changes that are required to comply with the new rules.  Observing that “cross-border data flows are essential for businesses of all sizes, and lead directly to jobs and economic growth on both sides of the Atlantic,” a spokesman for the Software and Information Industry Association welcomed Friday’s vote as one that “demonstrates . . . EU member states are committed to both protecting their citizens’ privacy and ensuring greater economic opportunity.”