U.S. and EU officials have agreed on a Safe Harbor replacement just as a deadline from EU data protection authorities passed. However, the exact details of the new EU-U.S. Privacy Shield have not been released and organizations will have a few more weeks before EU privacy regulators begin checking for compliance with personal data transfer rules.
The European Commission announced on February 2 that the European Union and the United States had resolved months of negotiations and approved the new EU-U.S. Privacy Shield, a replacement for the U.S.-EU Safe Harbor Framework, which thousands of American companies relied upon to receive personal data from European customers and suppliers but which was invalidated last October by the Court of Justice of the European Union (“CJEU”). The new trans-Atlantic data transfer agreement, which was welcomed by the EU’s Article 29 Working Party (“WP29”) yesterday, is meant to both protect EU citizens’ fundamental rights under the EU Data Protection Directive (“Directive”) and “ensure legal certainty for businesses” importing personal data from the EU. The WP29 is composed of the EU’s 28 data protection authorities and provides interpretive guidance on Europe’s privacy legal framework.
Though the Privacy Shield’s exact details have yet to be released, businesses that transfer personal data from Europe to the United States are cheering news of the accord, especially after it appeared that negotiators were not likely to reach a deal before the WP29 was to meet on February 3. Yet it remains to be seen how onerous the Privacy Shield’s data protection obligations and penalties will be for American companies. Moreover, the WP29’s promise to review the deal in detail in the coming weeks – along with the legal challenges that are likely to be filed – means that a final resolution over how U.S. companies may import Europeans’ personal data in accordance with EU law may be some months away.
What will the EU-U.S. Privacy Shield Require?
The European Commission has released some information about the Privacy Shield framework, stating that the agreement will subject American companies to stronger privacy protections and increased regulatory monitoring and enforcement by U.S. agencies, including:
- “Robust” privacy obligations and enforcement for U.S. companies. American businesses importing Europeans’ personal data will be required to commit to “robust obligations” concerning personal data processing and protection rights under the Directive. Companies will be subject to monitoring by the U.S. Department of Commerce and enforcement from the Federal Trade Commission (“FTC”) regarding their processing and privacy commitments. Companies that handle EU human resource data also must comply with decisions made by EU data protection authorities (“DPAs”).
- Redress opportunities for EU citizens. Additionally, the Privacy Shield will offer EU citizens multiple ways to resolve complaints that their data has been misused, which will likely impose significant compliance burdens on affected companies. For instance, U.S. companies will be required to reply to citizens’ complaints by specific deadlines. There is also the possibility that EU citizen complaints could directly result in U.S. regulatory enforcement actions, as DPAs will be allowed to refer citizen complaints straight to both the Commerce Department and the FTC.
- Limits, safeguards and transparency on U.S. access to data. Finally, the U.S. agreed to limits on law enforcement and national security authorities’ collection of personal data of Europeans, subject to safeguards and an oversight mechanism.
What to Do Now – Play the Waiting Game
Despite the negotiators’ agreement, it will be some time before the EU-U.S. Privacy Shield is legally effective and available for businesses to take advantage of. Indeed, the Privacy Shield faces a series of procedural and possible legal hurdles that may delay its implementation or even alter its scope.
- Availability of Privacy Shield to businesses is likely some months away. The WP29 announced on February 3 that it will scrutinize the Privacy Shield’s particulars “in the coming weeks” to assess whether the framework provides adequate protections for EU citizens’ personal data under the Directive, asking the European Commission to provide all documents to the WP29 by the end of February. This review may be prolonged based on the WP29’s continued concerns about the scope of U.S. surveillance on transferred data and the availability of effective remedies to EU citizens. Both the U.S. and the EU will need to take measures to implement the Privacy Shield before it takes legal effect and becomes available for use.
- Most importantly, the European Commission must prepare a detailed proposal for an “adequacy decision” approving the new transfer mechanism. The adequacy decision will be approved only after the WP29 provides its own opinion and the Commission consults EU member state governments.
- The United States will need to finalize its commitments regarding surveillance of Europeans and put in place an ombudsman and oversight mechanisms. Congress must pass legislation giving Europeans the right under U.S. law to challenge privacy violations by the U.S. government through the enactment of the Judicial Redress Act.
- Finally, there is a strong likelihood that EU privacy advocates will file suit to block the Privacy Shield’s implementation, claiming that it does not ensure an “adequate level of protection” for European citizens’ personal data as required by the CJEU.
All of these factors mean that the Privacy Shield will probably not be legally effective until the spring at the earliest.
- Data transfer enforcement moratorium extended. Fortunately for concerned businesses, Europe’s DPAs agreed to extend their current pause on data transfer enforcement actions until the WP29 has a chance to review the Privacy Shield’s framework. The WP29 had previous encouraged EU member DPAs to begin coordinated enforcement actions after February 1 targeting those data transfers invalidated by the CJEU’s decision.
- Model clauses and BCRs are still OK – for now. In the meantime, businesses are encouraged to continue relying on model contractual clauses and Binding Corporate Rules (“BCRs”) to facilitate trans-Atlantic data transfers. The WP29’s February 3 announcement reassured businesses that BCRs and model clauses remain valid bases for data transfers (at least for now). However, the body did state that it will use its review of the Privacy Shield to assess the continued viability of model clauses and BCRs in light of the CJEU’s decision.