June 26, 2019

June 26, 2019

Subscribe to Latest Legal News and Analysis

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

Agreement Reached on EU-U.S. Privacy Shield, Replacing Former Safe Harbor

On February 2, 2016, the European Commission, the executive body of the European Union (“EU”), and the United States announced an agreement on a new alternative, called the “Privacy Shield,”[1] to replace the former “Safe Harbor” program, which was invalidated by the European Court of Justice (“ECJ”) in October 2015.[2]

Background

Unlike the United States’ patchwork approach to privacy, the EU has a broad overarching law, called the Data Protection Directive 95/46/EC (“Directive”), which provides a minimum set of protections that each EU member state must offer for personal data. In order to facilitate business between the United States and EU, the United States and EU negotiated an agreement whereby U.S. companies wishing to process EU residents’ personal data could do so by qualifying for, and meeting, certain principles and guidelines. These principles and guidelines were set forth in what was known as the U.S.-EU Safe Harbor Framework (“Safe Harbor”), which required adherence to guidance materials and seven basic principles: notice, choice, onward transfer limitation, security, data integrity, access, and enforcement. Companies could self-certify that they were in compliance with the Safe Harbor and process (which, under the Directive, includes transferring) EU data.

On October 6, 2015, the ECJ issued a judgment declaring the Safe Harbor “invalid.”[3] Although the U.S. Department of Commerce stated that it would continue to administer the Safe Harbor program,[4] companies that relied on the program for transferring employee information between the United States and EU were at risk.

The New EU-U.S. Privacy Shield

While the language of the Privacy Shield has not been released, new reports and the press release of the European Commission indicate that the new EU-U.S. Privacy Shield provides stronger obligations on companies in the United States to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (“FTC”). The enforcement will include increased cooperation between the U.S. agencies and European Data Protection Authorities. Specifically, the new arrangement is reported to include the following elements:

  • Strong obligations on U.S. companies handling Europeans' personal data and robust enforcement: If a U.S. company imports personal data from Europe, it must commit to robust obligations on how the personal data is processed and guarantee certain individual rights. The Department of Commerce will monitor to ensure that companies publish their commitments. Once such commitments are published, the FTC has jurisdiction and authority to enforce compliance with those commitments. Critically, U.S. companies handling European employment data (e.g., human resource information) must commit to comply with decisions by European regulations with respect to that data.

  • Clear safeguards and transparency obligations on U.S. government access: The United States has assured the EU, in writing, that access by public authorities (for law enforcement and national security reasons) will be subject to clear limitations, safeguards, and oversight mechanisms. Such access must be limited to the extent necessary and must be proportionate to the need. Jointly, the European Commission, the U.S. Department of Commerce, national intelligence experts, and European Data Protection Authorities will annually review the Privacy Shield, including assessing national security needs and access.

  • Effective protection of EU citizens’ rights with several redress possibilities: European citizens believing that their personal data has been misused under the Privacy Shield will have several avenues for remedy. European regulators can refer complaints to the U.S. Department of Commerce and the FTC. Companies will have deadlines to reply to complaints. In addition, individuals will be able to take advantage of a free alternative dispute resolution process. Additionally, the United States will create a new Ombudsperson position (within the U.S. Department of State) who will be tasked with addressing complaints and inquiries from individuals related to possible access by national intelligence authorities.

Pursuant to the European Commission’s press release, the next steps include the Commission’s preparation of a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party (comprised of European Data Protection regulators)[5] and member states’ representatives. Meanwhile, the United States is taking steps to implement a new framework, monitoring mechanisms, and a new Ombudsman.

Impact of Agreement

There are still several hurdles to cross. The Article 29 Working Party and representatives must provide input to the College of Commissioners. Likewise, the United States must make the necessary preparations to put in place the new framework, monitoring mechanisms, and the new Ombudsman. Absent future challenge, however, there will be an “adequacy decision,” enabling transatlantic data to flow between the EU and companies in the United States complying with the new Privacy Shield.


[1] European Commission, Press Release, “EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield” (Feb. 2, 2016), available at http://europa.eu/rapid/press-release_IP-16-216_en.htm.

[2] See “European Court of Justice Invalidates U.S.-EU Safe Harbor” (Oct. 9, 2015), available at http://www.natlawreview.com/article/european-court-justice-invalidates-us-eu-safe-harbor.

[3]Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650, available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=125031.

[4] See the Export.gov advisory available at http://www.export.gov/safeharbor/index.asp.

[5] The Article 29 Working Party has said, in a press conference, that before proffering a legal opinion regarding the Privacy Shield, it will wait to see the details of the new arrangement and will consider the commitments made by the United States. A formal statement will be published.

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Adam S. Forman, Epstein Becker Green, Workforce Management Lawyer, Chicago, Detroit, Social Media Issues Attorney
Member

ADAM S. FORMAN is a Member of the Firm in the Employment, Labor, and Workforce Management practice, based in Chicago and Detroit (Metro). As noted in the 2015 edition of Chambers USA, Mr. Forman “is a renowned expert in social media issues relating to the workplace” and also “focuses on litigation, training and preventive advice on the employment side.” A frequent writer and national lecturer on issues related to technology in the workplace, such as social media, Internet, and privacy issues facing employers, Mr. Forman is often interviewed by...

312-499-1468
Patricia M. Wagner, Epstein becker green, health care, life sciences
Member

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of Justice, and state antitrust authorities 

Advising clients on issues related HIPAA Privacy and security

Advising clients on issues related to state licensure and regulatory requirements

202-861-4182