On February 2, 2016, following three months of intense negotiations in the wake of the October 6, 2015 decision by the Court of Justice of the European Union invalidating the EU-US Safe Harbor (previously in effect for over fifteen years), , the European Commission and US Department of Commerce announced a “political” agreement on a new EU-US Privacy Shield. The new Privacy Shield is intended to protect Europeans’ rights when their personal data is transferred to the United States. The Commission’s press release announcing the deal is available here. The Article 29 Working Party’s Statement is available here.
Primary features of the high level, “political” agreement include the following:
- Rigorous Obligations on Companies Handling Europeans’ Personal Data
- US companies will be required to commit to more stringent obligations regarding the processing of personal data and protection of individual rights.
- Robust Enforcement
- The US Department of Commerce will monitor companies’ obligations to publish their data protection commitments.
- The US Federal Trade Commission will enforce companies’ obligations to publish their data protection commitments.
- US Government Data Safeguards & Data Access Transparency Obligations
- The US has provided written assurances that:
- data transferred to the US will not be subject to government mass surveillance programs and
- access to data by public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
- The US Department of Commerce and EU Commission will conduct an annual joint review –including discussion of US national security-related access– to monitor the success of the EU-US Privacy Shield.
- The US has provided written assurances that:
- Protection of EU Citizens’ Rights Through Redress Possibilities
- Companies will be required to reply to EU citizen complaints within specific time frames.
- European Data Protection Authorities will be able to refer complaints to the US Department of Commerce and the US Federal Trade Commission.
- Alternative dispute resolution will be at no cost to the individual.
- A new US Ombudsperson under the auspices of the US State Department will review complaints relating to alleged personal data access by national intelligence authorities.
During the next stage, European and United States authorities will focus on the preparation of the detailed text of the new agreement, which should ultimately provide companies with specific, actionable direction regarding acceptable transatlantic personal data transfer practices.
The EU Commission must draft an adequacy decision, which would approve the EU-US Privacy Shield as a valid data transfer mechanism under the existing European Data Protection Directive. Once drafted, the decision will need to be adopted by the College of EU Commissioners following consultations with representatives of the EU Member States and advice of the Article 29 Working Party, which may result in changes to the EU-US Privacy Shield. The powerful Article 29 Working Party consists of the national data privacy regulators from each of the 28 EU member countries. At its meeting on February 3, 2016, the Article 29 Working Party was cautious in its reaction to the news of the new agreement. While it welcomed the conclusion of EU-US negotiations on the replacement of the Safe Harbor, it reserved its opinion until it receives the relevant documents to assess whether the new Privacy Shield meets the objections of the EU Court of Justice in invalidating the Safe Harbor. The Working Party gave the EU Commission until the end of February to provide details of the new agreement. At the same time, the Working Party intends to examine the extent to which the new agreement will provide a legal basis for the use of the other means of transferring personal data from the EU to US, including the use of standard contract provisions and binding corporate rules. Until it issues its assessment, the Working Party indicated the standard contract clauses and binding corporate rules can still be used for personal data transfers from the EU to the US. By contrast, since transfers of data under the now invalidated Safe Harbor cannot legally take place, the national data protection authorities in the EU will deal with complaints on a “case-by-case basis”.
We project it will take another several months before companies can rely on the new EU-US Privacy Shield for personal data transfers from the EU to the US. Once details of the new scheme are released, US companies, which have already self-certified under the old Safe Harbor scheme, will need to determine what additional actions, if any, they will have to take in order to comply with the new EU-US Privacy Shield.
In the meantime, given the uncertainty of the present situation, including the possibility of differing approaches by the national data privacy authorities in the EU to enforcing the law, US companies that previously relied exclusively on the Safe Harbor as a means of transferring personal data from the EU should evaluate alternative ways to mitigate risk such as entering into bilateral standard clause agreements with EU data exporting entities to ensure adequate protection of personal data.
US companies should be aware that even if the new Privacy Shield obtains approval by the EU institutions, the new scheme could be subject to challenge by individual privacy advocates within the EU on the basis the new agreement does not go far enough to protect EU citizens. Whether or not the EU Court of Justice would consider the new arrangement merely a case of old wine in new bottles may remain an open question until such a challenge is brought.