On February 2, 2016, the European Commission, the executive body of the European Union (“EU”), and the United States announced an agreement on a new alternative, called the “Privacy Shield,” to replace the former “Safe Harbor” program, which was invalidated by the European Court of Justice (“ECJ”) in October 2015.
Unlike the United States’ patchwork approach to privacy, the EU has a broad overarching law, called the Data Protection Directive 95/46/EC (“Directive”), which provides a minimum set of protections that each EU member state must offer for personal data. In order to facilitate business between the United States and EU, the United States and EU negotiated an agreement whereby U.S. companies wishing to process EU residents’ personal data could do so by qualifying for, and meeting, certain principles and guidelines. These principles and guidelines were set forth in what was known as the U.S.-EU Safe Harbor Framework (“Safe Harbor”), which required adherence to guidance materials and seven basic principles: notice, choice, onward transfer limitation, security, data integrity, access, and enforcement. Companies could self-certify that they were in compliance with the Safe Harbor and process (which, under the Directive, includes transferring) EU data.
On October 6, 2015, the ECJ issued a judgment declaring the Safe Harbor “invalid.” Although the U.S. Department of Commerce stated that it would continue to administer the Safe Harbor program, companies that relied on the program for transferring employee information between the United States and EU were at risk.
The New EU-U.S. Privacy Shield
While the language of the Privacy Shield has not been released, new reports and the press release of the European Commission indicate that the new EU-U.S. Privacy Shield provides stronger obligations on companies in the United States to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (“FTC”). The enforcement will include increased cooperation between the U.S. agencies and European Data Protection Authorities. Specifically, the new arrangement is reported to include the following elements:
- Strong obligations on U.S. companies handling Europeans' personal data and robust enforcement: If a U.S. company imports personal data from Europe, it must commit to robust obligations on how the personal data is processed and guarantee certain individual rights. The Department of Commerce will monitor to ensure that companies publish their commitments. Once such commitments are published, the FTC has jurisdiction and authority to enforce compliance with those commitments. Critically, U.S. companies handling European employment data (e.g., human resource information) must commit to comply with decisions by European regulations with respect to that data.
- Clear safeguards and transparency obligations on U.S. government access: The United States has assured the EU, in writing, that access by public authorities (for law enforcement and national security reasons) will be subject to clear limitations, safeguards, and oversight mechanisms. Such access must be limited to the extent necessary and must be proportionate to the need. Jointly, the European Commission, the U.S. Department of Commerce, national intelligence experts, and European Data Protection Authorities will annually review the Privacy Shield, including assessing national security needs and access.
- Effective protection of EU citizens’ rights with several redress possibilities: European citizens believing that their personal data has been misused under the Privacy Shield will have several avenues for remedy. European regulators can refer complaints to the U.S. Department of Commerce and the FTC. Companies will have deadlines to reply to complaints. In addition, individuals will be able to take advantage of a free alternative dispute resolution process. Additionally, the United States will create a new Ombudsperson position (within the U.S. Department of State) who will be tasked with addressing complaints and inquiries from individuals related to possible access by national intelligence authorities.
Pursuant to the European Commission’s press release, the next steps include the Commission’s preparation of a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party (comprised of European Data Protection regulators) and member states’ representatives. Meanwhile, the United States is taking steps to implement a new framework, monitoring mechanisms, and a new Ombudsman.
Impact of Agreement
There are still several hurdles to cross. The Article 29 Working Party and representatives must provide input to the College of Commissioners. Likewise, the United States must make the necessary preparations to put in place the new framework, monitoring mechanisms, and the new Ombudsman. Absent future challenge, however, there will be an “adequacy decision,” enabling transatlantic data to flow between the EU and companies in the United States complying with the new Privacy Shield.