Agreement Reached on EU-U.S. Privacy Shield, Replacing Former Safe Harbor
Thursday, February 4, 2016
Agreement Reached on EU-U.S. Privacy Shield, Replacing Former Safe Harbor
Print Mail Download i

On February 2, 2016, the European Commission, the executive body of the European Union (“EU”), and the United States announced an agreement on a new alternative, called the “Privacy Shield,”[1] to replace the former “Safe Harbor” program, which was invalidated by the European Court of Justice (“ECJ”) in October 2015.[2]

Background

Unlike the United States’ patchwork approach to privacy, the EU has a broad overarching law, called the Data Protection Directive 95/46/EC (“Directive”), which provides a minimum set of protections that each EU member state must offer for personal data. In order to facilitate business between the United States and EU, the United States and EU negotiated an agreement whereby U.S. companies wishing to process EU residents’ personal data could do so by qualifying for, and meeting, certain principles and guidelines. These principles and guidelines were set forth in what was known as the U.S.-EU Safe Harbor Framework (“Safe Harbor”), which required adherence to guidance materials and seven basic principles: notice, choice, onward transfer limitation, security, data integrity, access, and enforcement. Companies could self-certify that they were in compliance with the Safe Harbor and process (which, under the Directive, includes transferring) EU data.

On October 6, 2015, the ECJ issued a judgment declaring the Safe Harbor “invalid.”[3] Although the U.S. Department of Commerce stated that it would continue to administer the Safe Harbor program,[4] companies that relied on the program for transferring employee information between the United States and EU were at risk.

The New EU-U.S. Privacy Shield

While the language of the Privacy Shield has not been released, new reports and the press release of the European Commission indicate that the new EU-U.S. Privacy Shield provides stronger obligations on companies in the United States to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (“FTC”). The enforcement will include increased cooperation between the U.S. agencies and European Data Protection Authorities. Specifically, the new arrangement is reported to include the following elements:

  • Strong obligations on U.S. companies handling Europeans' personal data and robust enforcement: If a U.S. company imports personal data from Europe, it must commit to robust obligations on how the personal data is processed and guarantee certain individual rights. The Department of Commerce will monitor to ensure that companies publish their commitments. Once such commitments are published, the FTC has jurisdiction and authority to enforce compliance with those commitments. Critically, U.S. companies handling European employment data (e.g., human resource information) must commit to comply with decisions by European regulations with respect to that data.

  • Clear safeguards and transparency obligations on U.S. government access: The United States has assured the EU, in writing, that access by public authorities (for law enforcement and national security reasons) will be subject to clear limitations, safeguards, and oversight mechanisms. Such access must be limited to the extent necessary and must be proportionate to the need. Jointly, the European Commission, the U.S. Department of Commerce, national intelligence experts, and European Data Protection Authorities will annually review the Privacy Shield, including assessing national security needs and access.

  • Effective protection of EU citizens’ rights with several redress possibilities: European citizens believing that their personal data has been misused under the Privacy Shield will have several avenues for remedy. European regulators can refer complaints to the U.S. Department of Commerce and the FTC. Companies will have deadlines to reply to complaints. In addition, individuals will be able to take advantage of a free alternative dispute resolution process. Additionally, the United States will create a new Ombudsperson position (within the U.S. Department of State) who will be tasked with addressing complaints and inquiries from individuals related to possible access by national intelligence authorities.

Pursuant to the European Commission’s press release, the next steps include the Commission’s preparation of a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party (comprised of European Data Protection regulators)[5] and member states’ representatives. Meanwhile, the United States is taking steps to implement a new framework, monitoring mechanisms, and a new Ombudsman.

Impact of Agreement

There are still several hurdles to cross. The Article 29 Working Party and representatives must provide input to the College of Commissioners. Likewise, the United States must make the necessary preparations to put in place the new framework, monitoring mechanisms, and the new Ombudsman. Absent future challenge, however, there will be an “adequacy decision,” enabling transatlantic data to flow between the EU and companies in the United States complying with the new Privacy Shield.

[1] European Commission, Press Release, “EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield” (Feb. 2, 2016), available at http://europa.eu/rapid/press-release_IP-16-216_en.htm.

[2] See “European Court of Justice Invalidates U.S.-EU Safe Harbor” (Oct. 9, 2015), available at https://www.natlawreview.com/article/european-court-justice-invalidates-us-eu-safe-harbor.

[3]Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650, available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=125031.

[4] See the Export.gov advisory available at http://www.export.gov/safeharbor/index.asp.

[5] The Article 29 Working Party has said, in a press conference, that before proffering a legal opinion regarding the Privacy Shield, it will wait to see the details of the new arrangement and will consider the commitments made by the United States. A formal statement will be published.

©2024 Epstein Becker & Green, P.C. All rights reserved.

Current Legal Analysis

More from Epstein Becker & Green, P.C.

Five Commissioners and a Vote on Noncompetes to Come
by: E. John Steren , Patricia M. Wagner
U.S. Judicial Conference Aims to Curb "Judge Shopping": New Guidance Promoting Random Civil Case Assignments
by: Lori A. Medley , Scarlett L. Freeman
FTC Vote on Rule to Ban Non-Competes Scheduled for April 23rd
by: Mark L. Daniels
Insignificant Harm Not So Insignificant in Proving Title VII Transfer Violation - SCOTUS Today
by: Stuart M. Gerson
Maryland Expected to Expand Pay Transparency Requirements in Fall 2024
by: Ann Knuckles Mahoney , Tammy Tran
Employment Law This Week Episode 342 - Spilling Secrets: Navigating Physician Non-Compete Litigation [Video, Podcast]
by: Jill K. Bigler , Daniel L. Fahey
Today’s Argument Was More Consequential Than Issued Opinions - SCOTUS Today
by: Stuart M. Gerson
Supreme Court Underscores Limited Applicability of Rule 10b-5(b) Omissions Claims
by: Daniel D. Edelman
Unanimity Among Justices Rules the Day - SCOTUS Today
by: Stuart M. Gerson
FDA Releases Draft Guidance on New Dietary Ingredient Notification Master Files for Dietary Supplements
by: Jack Wenik , Theodora McCormick

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins