EU-US Data Transfer Privacy Shield: Political Agreement Achieved Regarding “Safe Harbor 2.0”

By:  Barry Glazer, Ron Moscona and Chris Koa

Significant uncertainty and concern regarding US companies’ ability to process and use personal data received from the EU has loomed since the October  2015 decision by Europe’s highest court invalidating the EU-US Safe Harbor.  US and EU regulators earlier this week  announced conceptual agreement regarding a new EU-US Privacy Shield for transatlantic data transfers which is intended to replace the Safe Harbor scheme.

Following three months of intense negotiations in the wake of the October 6, 2015, decision by the Court of Justice of the European Union invalidating the EU-US Safe Harbor (previously in effect for over fifteen years), on February 2, 2016, the European Commission and US Department of Commerce announced a “political” agreement on a new  EU-US Privacy Shield, which is intended to protect Europeans’ rights when their personal data is transferred to the United States.

Key Features

Primary features of the high level, “political” agreement achieved regarding the EU-US Privacy Shield include the following:

  • Rigorous Obligations on Companies Handling Europeans’ Personal Data
    • US companies will be required to commit to more stringent obligations regarding the processing of personal data and protection of individual rights.
  • Robust Enforcement
    • The US Department of Commerce will monitor companies’ obligations to publish their data protection commitments.
    • The US Federal Trade Commission will enforce companies’ obligations to publish their data protection commitments.
  • US Government Data Safeguards & Data Access Transparency Obligations
    • The US has provided written assurances that:
      • data transferred to the US will not be subject to government mass surveillance programs and
      • access to data by public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
    • The US Department of Commerce and EU Commission will conduct an annual joint review –including discussion of US national security-related access– to monitor the success of the EU-US Privacy Shield.
  • Protection of EU Citizens’ Rights Through Redress Possibilities
    • Companies will be required to reply to EU citizen complaints within specific timeframes.
    • European Data Protection Authorities will be able to refer complaints to the US Department of Commerce and the US Federal Trade Commission.
    • Alternative dispute resolution will be at no cost to the individual.
    • A new US Ombudsperson under the auspices of the US State Department will review complaints relating to alleged personal data access by national intelligence authorities.

Next Steps

In light of the high level “political” agreement achieved, during the next stage European and United States authorities will focus on the preparation of the detailed text of the new agreement, which should ultimately provide companies with specific, actionable direction regarding acceptable transatlantic personal data transfer practices.

The EU Commission must draft an adequacy decision, which would approve the EU-US Privacy Shield as a valid data transfer mechanism under the existing European Data Protection Directive. Once drafted over the coming weeks, the draft will need to be adopted by the College of EU Commissioners following consultations with representatives of the EU Member States and advice of the Article 29 Working Party, which may result in changes to the EU-US Privacy Shield.  The powerful Article 29 Working Party consists of the national data privacy regulators from each of the 28 EU member countries.  At its meeting on February 3, 2016, the Article 29 Working Party was cautious in its reaction to the news of the new agreement.  While it welcomed the conclusion of EU-US negotiations on the replacement of the Safe Harbor, it reserved its opinion until it has received the relevant documents in order to assess whether or not the new Privacy Shield meets the objections of the EU Court of Justice in invalidating the Safe Harbor. The Working Party gave the EU Commission until the end of February to provide details of the new agreement.  At the same time, the Working Party intends to examine to what extent the new agreement will provide a legal basis for the use of the other means of transferring personal data from the EU to US, including the use of standard contract provisions and binding corporate rules. Until it issues its assessment, the Working Party indicated that the standard contract clauses and binding corporate rules can still be used for personal data transfers from the EU to the US.   By contrast, since transfers of data under the now invalidated Safe Harbor cannot legally take place, the national data protection authorities in the EU will deal with complaints on a “case-by-case basis”.

Conclusion

Overall, we project that it will take another several months before companies will be able to rely on the new EU-US Privacy Shield for personal data transfers from the EU to the US.   Once details of the new scheme are released, US companies which have already self-certified under the old Safe Harbor scheme will need to determine what additional actions, if any, they will have to take in order to comply with the new EU-US Privacy Shield.

In the meantime,  given the uncertainty of the present situation, including the possibility of differing approaches by the national data privacy authorities in the EU to enforcing the law,  US companies which have previously relied exclusively on the Safe Harbor as a means of transferring personal data from the EU should evaluate alternative ways to mitigate risk such as entering into bilateral standard clause agreements  with EU data exporting entities to ensure adequate protection of personal data.

US companies should be aware that even if the new Privacy Shield obtains approval by the EU institutions, the new scheme could  be subject to challenge by individual privacy advocates within the EU on the basis that the new agreement does not go far enough to protect EU citizens. Whether or not the EU Court of Justice would consider the new arrangement merely a case of old wine in new bottles may remain an open question until such a challenge is brought.

The Commission’s press release announcing the deal is available here. The Article 29 Working Party’s Statement is available here.