The European Commission announced an agreement in principle on a new framework for data transfers to replace the “Safe Harbor” arrangement that had governed data flows between the United States and Europe for the past 15 years. The proposed framework — now called the "EU-US Privacy Shield" (which in the run-up to adoption also had been referred to as "Safe Harbor 2.0") — is intended to address the concerns that prompted the Safe Harbor’s invalidation by the European Union’s highest court in October of last year. As of now, the negotiators have reached agreement only on a broad outline of the Privacy Shield's terms, and the parties have turned to working out the details. Assuming it is approved, the new framework would go into effect sometime in April of this year.
Background on the Negotiations
European data protection rules prohibit the transfer of data subject to those rules to countries outside the European Economic Area unless an “adequate” level of protection is provided (or unless one of a limited number of exceptions applies). For the last fifteen years, the so-called “Safe Harbor” agreement provided an important method for ensuring that data transferred to the US was “adequately” protected, allowing businesses operating in Europe to transfer information protected by European privacy laws across the Atlantic to recipients in the US that had joined the Safe Harbor. This arrangement was upended on October 15, 2015, when the European Court of Justice in Schrems v. Data Protection Commissioner of Ireland, declared as invalid the European Commission decision which determined that the Safe Harbor was adequate, citing U.S. Government national security data collection initiatives that the Court believed harmful to the privacy interests of European citizens.
(For more information on the ECJ’s decision, see The EU-U.S. Safe Harbor Decision: Implications for the Asset Management Industry)
Soon thereafter, the EU’s Article 29 Working Party (the advisory group of European data privacy authorities charged with ensuring harmonious enforcement of rules throughout Europe by the different member state authorities) called for open discussions between EU Member states, EU Institutions and U.S. authorities “to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights” of European citizens. The Working Party also announced that if the U..S and EU failed to reach agreement on a new framework that would satisfy the European Court of Justice by the end of January 2016, EU data protection authorities were committed to taking any actions necessary to protect the interests of European citizens affected by data transfers to the United States.
(For more information on the Article 29 Working Party’s statement, see Data Protection: EU Article 29 Working Party Issues Statement on Invalid EU-US Safe Harbor)
U.S. and EU authorities already had begun negotiations on a replacement for the Safe Harbor’s provisions before the Schrems decision came down in October. According to news reports, both sides worked intensely to meet the January 2016 deadline for action adopted by the Working Party. Even with these efforts, there were still concerns the deadline would not be met because of policy differences on national security concerns and perceived differences between the U.S. and EU privacy regimes.
Agreement on the EU-US “Privacy Shield”
As described by the EU Commission in a press release dated February 2, 2016 (“EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield”), the new framework for cross-Atlantic data transfers is intended to address the deficiencies that compromised the Safe Harbor’s protections in the eyes of the ECJ. According to the release, the “Privacy Shield” arrangement will contain the following elements:
- U.S. companies wishing to import personal data from Europe will be required to commit to “robust obligations on how personal data is processed and individual rights are guaranteed.” Companies transferring human resources data from Europe to the U.S. will be required to comply with the decisions of European data protection authorities. In addition, the Department of Commerce will require that companies subject to the Privacy Shield’s provisions publish the commitments they make about how data belonging to Europeans will be processed, which would allow breaches of these commitments to be addressed and remedied under U.S. law by the Federal Trade Commission.
- The U.S. has provided the EU with “written assurances” that the access of U.S. law enforcement and national security authorities to data transferred under the new agreement “will be subject to clear limitations, safeguards and oversight mechanisms.” The U.S. also agreed to forgo “indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement,” in favor of data collections that are “proportionate” and performed “only to the extent necessary.” The U.S. and EU will conduct “an annual joint review” of how the arrangement is functioning, which will include reviews of data retrievals done for the purpose of national security. The officials who conduct these reviews will include “national intelligence experts” from both government authorities.
- The new arrangement will provide EU citizens with personal rights of redress that were not part of the Safe Harbor arrangement. Companies will have deadlines to respond to citizen complaints. European Data Protection Authorities will be able to “refer complaints to the [U.S.] Department of Commerce and the Federal Trade Commission.” Alternative dispute mechanisms will be available “free of charge,” and an “Ombudsman” will be charged with resolving complaints about improper access to protected information by national security authorities.
A “Fact Sheet” released by the U.S. Department of Commerce adds a few more details about the parties’ intentions with regard to strengthening European citizens’ rights of access to remedies designed to protect their personal information. Overall, the Department characterizes the Privacy Shield as including “new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies’ agents to improve accountability and ensure a continuity of protection.” The Fact Sheet notes that under the Privacy Shield’s provisions, “EU individuals will have access to multiple avenues to resolve concerns,” including resolution through alternative dispute mechanisms. The agreement envisions increased and direct involvement by the Commerce Department in resolving disputes over data transfers: “The Department of Commerce will step in directly and use best efforts to resolve referred complaints, including by dedicating a special team with significant new resources to supervise compliance with the Privacy Shield.” In addition, companies who participate in the program will be required to participate in arbitrations “as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies.”
As was also the case with the European Commission’s Press Release, the Commerce Department’s Fact Sheet emphasizes both sides’ commitment to monitoring the new framework’s operations. To ensure that the "Privacy Shield” will be “a living framework subject to active supervision,” the Commerce Department, the FTC, and EU DPAs have committed to holding “annual meetings to discuss the functioning of and compliance with” the new data transfer provisions.
Edith Ramirez, the Chairwoman of the FTC, stated on February 2, 2016 that, “We are pleased that U.S. and European Commission officials have reached an agreement in principle which, once finalized, will allow for the continuation of an important mechanism for transatlantic data transfers. Under the new agreement, the EU-U.S. Privacy Shield, the Federal Trade Commission will continue to prioritize enforcement of the framework as part of our broader commitment to protect consumers’ personal information and privacy. We will continue to work closely with our European partners to ensure consumer privacy is protected on both sides of the Atlantic.” (See the FTC Press Release Here)
The EU's press release reports that negotiators will turn now to working out the details of the “Privacy Shield” agreement. EU authorities will work on drafting an “adequacy decision” that can be adopted by the European Commission. The release makes clear that this drafting process will include consultations with the Article 29 Working Party and with “a committee composed of representatives of the Member States.” “In the meantime,” the release notes, ”[T]he U.S. side will make the necessary preparations to put in place the new Framework, monitoring mechanisms and new Ombudsman.” According to a New York Times report on the accord (NYT, February 2, 2016, “U.S. and Europe in a Safe Harbor Deal, but Legal Fight May Await”), the Privacy Shield’s provisions, if formally approved, could take effect in early April.
Because more specific details on how the Privacy Shield will work are still being developed, it is hard to assess whether the new scheme will deal adequately with the criticisms of Safe Harbor set out by the ECJ in the Schrems decision and therefore survive any legal challenges. Certainly, privacy advocates are already arguing that not enough has been done.