Political agreement on a new framework for transatlantic data transfers reached
On February 2, 2016, European Union ("EU") and U.S. regulators reached a political agreement on a new "Safe Harbor 2.0" that could provide thousands of companies with a legal basis for transatlantic data transfers.
The framework—referred to as the "EU-U.S. Privacy Shield"—is the result of lengthy negotiations between EU and U.S. policymakers aimed at developing an alternative to the now defunct Safe Harbor program ("Safe Harbor"). Safe Harbor was implemented by agreement between the U.S. government and the EU Commission in 2000, and since its inception, more than 4,000 U.S. companies participated in order to receive personal data from the EU.
However, on October 6, 2015, the European Court of Justice ("ECJ") invalidated the EU Commission decision underlying the 15-year old transatlantic agreement, concluding that it failed to provide an adequate level of protection to personal data transferred from the EU to the U.S., as required by the EU Data Protection Directive 95/46/EC.  The ECJ’s decision stemmed, in large part, from concerns over the U.S. government’s ability to access transferred personal data as well as the lack of judicial redress afforded to EU citizens to defend their fundamental privacy rights.
According to the EU Commission's press release, the EU-U.S. Privacy Shield is designed to be more robust than its predecessor and offer stronger safeguards to rectify the inadequacies of the Safe Harbor program identified by the ECJ. The proposed arrangement includes, among other things, stronger obligations on U.S. companies handling EU personal data, more robust enforcement mechanisms, redress possibilities for EU citizens, and a focus on transparency and oversight mechanisms to limit U.S. government access to EU personal data.
As part of the agreement, EU citizens are granted multiple avenues to address concerns regarding the processing of their personal data. Participating companies will be required to directly address any questions or complaints raised by EU citizens, and to implement deadlines by which to respond to individual complaints. Additionally, EU citizens will be able to refer complaints to European Data Protection Authorities ("DPAs"), which will work with the U.S. Department of Commerce and Federal Trade Commission to ensure that individual complaints are resolved and that companies are complying with their published commitments. In the event the above redress mechanisms fail, EU citizens will have access to free alternative dispute resolution mechanisms as a last resort. Companies can also expect greater oversight and enforcement by the U.S. Federal Trade Commission in collaboration with the EU DPAs, to ensure adherence to the EU-U.S. Privacy Shield and other applicable data privacy rules.
With respect to the perceived overreach of U.S. government surveillance, no concrete details were disclosed regarding what guarantees the U.S. provided to limit governmental access, other than written commitments stating that access to information by public authorities would be subject to clear limitations, safeguards, and oversight mechanisms. However, the EU-U.S. Privacy Shield envisions the creation of an ombudsperson at the U.S. Department of State who will be responsible for investigating individual concerns over access to personal data by U.S. national security agencies. Further, the EU Commission and the U.S. agreed to conduct a joint annual review to monitor this arrangement and ensure limitations on access are necessary and proportionate.
The EU-U.S. Privacy Shield also includes new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies’ agents (data processors) to improve accountability and ensure a continuity of protection. It remains unclear whether other Safe Harbor Principles—including individual notice and individual choice—will be significantly changed. Based on the limited details released by U.S. and EU regulators, companies can tentatively expect that these obligations will remain largely the same as the equivalents from the previous Safe Harbor arrangements.
The announcement of the EU-U.S. Privacy Shield comes just two days after the January 31, 2016 deadline set by the Article 29 Working Party (which consists of representatives from all EU DPAs) to replace the Safe Harbor before it considers coordinated enforcement actions against companies relying on the invalid Safe Harbor framework. The Article 29 Working Party issued a statement on February 2, 2016, following its meeting in Brussels, in which it welcomes the newly proposed EU-U.S. Privacy Shield. It calls on the EU Commission to provide it with all documents relating to the new arrangement by the end of February 2016, in order to be able to complete its assessment for all personal data transfers to the U.S. during an extraordinary meeting which will apparently be organized at the end of March. After this period, the Article 29 Working Party will have considered whether existing transfer instruments (such as Standard Contractual Clauses and Binding Corporate Rules) can still be used for such transfers. In the meantime, this shall still be the case for such existing transfer instruments.
Many obstacles still lay ahead before the EU-U.S. Privacy Shield is implemented. In the coming weeks, EU Vice President Ansip and EU Commissioner Jourová are expected to prepare a draft "adequacy decision" to be adopted by the EU College of Commissioners after obtaining the advice of the Article 29 Working Party, and consulting a committee of representatives of the Member States. By then, it should become more apparent whether the EU-U.S. Privacy Shield enjoys broad support throughout the EU, particularly amidst continued concerns over U.S. government surveillance. The U.S. government must also make significant preparations including establishing a mechanism to monitor compliance and regulate U.S. governmental access to personal data. The new framework will likely be subject to legal challenges by privacy advocates disputing its adequacy.
Given the constantly evolving data protection landscape, international companies should continue to monitor and prioritize data protection compliance issues. Regardless, it is premature for companies to rely on the new EU-U.S. Privacy Shield as a valid basis for engaging in transatlantic data transfers. Until the details of the new framework are resolved, companies engaged in cross-border transfers should continue to explore and implement other, more stable solutions for legitimizing EU-US data flows, including Standard Contractual Causes and Binding Corporate Rules.