October 22, 2019

October 21, 2019

Subscribe to Latest Legal News and Analysis

EU-US Privacy Shield to Replace Safe Harbor

A new personal data transfer agreement was announced yesterday between EU and US authorities: the EU-US Privacy Shield will replace the invalidated Safe Harbor programme.

Since the landmark decision of the European Court of Justice (ECJ) in Maximillian Schrems v. Data Protection Commissioner (case C-362/14) on 6 October 2015 that invalidated Safe Harbor, personal data transfers from the European Union to the United States have been in a state of uncertainty. 

The Schrems Case

Maximillian Schrems complained in Irish legal proceedings that the Irish Data Protection Commissioner refused to investigate his complaint that the Safe Harbor programme failed to adequately protect personal data after its transfer to the United States in light of Edward Snowden’s revelations that the US security services were collecting and using the personal data of EU citizens on a large scale. The ECJ ruled in Schrems that the European Commission decision approving the Safe Harbor programme was invalid. Further, the ECJ ruled that EU data protection authorities can investigate complaints about the transfer of personal data outside Europe and, where necessary, suspend such data transfers until those investigations are satisfactorily completed.

The EU-US Privacy Shield

The European Commission has emphasised that there are significant differences between the invalidated Safe Harbor programme and the EU-US Privacy Shield. In announcing the new EU-US Privacy Shield, Commissioner Vera Jourova said the following:

“The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the [United States] has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”

Andrus Ansip (EU Commission Vice President for the Digital Single Market) said, “I believe this arrangement is what Europe needs. Both our citizens and businesses will benefit from this.”

The new agreement includes the following elements:

  • Strong obligations on companies handling EU citizens' personal data and robust enforcement of rights
    US organisations wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and the guarantee of individual rights. The US Department of Commerce will monitor the companies who publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any organisation that handles human resources data from Europe must commit to comply with decisions by European data protection authorities. The new Judicial Redress Act, if passed, will allow EU citizens to bring civil claims to the same extent as US citizens if a US agency has unlawfully breached EU citizens’ data protection rights.

  • Clear safeguards and transparency obligations regarding US government access
    For the first time, the United States has given the European Union written assurances that the access by public authorities for law enforcement and national security reasons will be subject to clear limitations, safeguards, and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate to these reasons. The United States has ruled out indiscriminate mass surveillance under the new agreement (a key criticism made in Schrems). To monitor the operation of the EU-US Privacy Shield, there will be an annual joint review. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the United States and data protection authorities.

  • Effective protection of EU citizens' rights with several rights of redress
    Any citizen who considers that their personal data has been misused under the new agreement will have several rights of redress. Organisations have deadlines to reply to complaints. European data protection authorities can refer complaints to the US Department of Commerce and the US Federal Trade Commission. In addition, Alternative Dispute Resolution (ADR) will be free of charge. A new role will be created to hear complaints on potential access of personal data by national intelligence authorities.

Next steps

Before any data transfers can take place under the new EU-US Privacy Shield, the European Commission has to adopt a formal adequacy decision. This cannot happen until the European Commission has taken advice from the Article 29 Working Party (the influential European data privacy body). Some of the members of the Article 29 Working Party are thought to be critical of any data transfers from Europe to the United States, so it may take some time before the EU-US Privacy Shield is in force.

In the meantime, it will still be necessary to legitimise data flows through alternative means such as model clauses, which currently remain in effect despite some recent challenges at the Data Protection Authority level.

Conclusion

Transatlantic commerce demands that data is able to flow freely and efficiently between Europe and the United States. Accordingly, the new EU-US Privacy Shield is to be welcomed in recognizing this economic reality and in ensuring that appropriate safeguards are implemented to protect the fundamental rights of EU citizens.

While this is an important step forward, EU and US companies should be cautious about putting all of their faith in this new framework. Challenges still lie ahead, and it may still be prudent to have back-up options in the event that the EU-US Privacy Shield is challenged as being invalid. Commenting critically on the new framework, Jan Phillip Albrecht (a member of the European Parliament) has already called the EU-US Privacy Shield a “sellout of the fundamental EU rights to data protection” and has suggested that it might be invalidated by the ECJ in the future. Given that the Schrems ruling reiterated the national data protection authorities’ ability to investigate data transfers, there is still a risk of a challenge by an EU citizen or data protection authority.

Copyright © 2019 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Matthew Howse, Employment law attorney, Morgan Lewis
Partner

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

44 (0)20 3201 5670
Pulina Whitaker, Morgan Lewis, labor and employment lawyer
Partner

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international employee misconduct investigations and has been appointed as a Compliance Monitor for a transnational organization.

+44.20.3201.5550
Gary Adler, Morgan Lewis, Commercial Litigation Lawyer
Partner

Gary Adler focuses on commercial litigation and represents both domestic and foreign companies in complex commercial law suits involving, antitrust, intellectual property, commercial tort, product liability, product warranty, and franchise claims in proceedings before state and federal courts throughout the United States, and before both domestic and international regulatory agencies and commercial arbitration panels. Gary also provides guidance to firm clients on a variety of issues relating to electronic discovery.

212.309.6140
Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis
Partner

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

215-963-5170
Doneld Shelkey, Technology attorney, Morgan Lewis
Partner

Doneld G. Shelkey represents clients in global outsourcing, commercial contracts, and licensing matters, with a particular focus on the e-commerce and electronics entertainment industries. Doneld assists in the negotiation of commercial transactions for domestic and international manufacturers, technology innovators, and retailers, and counsels clients in the e-commerce and electronics entertainment industries on consumer licensing and virtual property matters.

617 341 7599