November 28, 2021

Volume XI, Number 332

Advertisement
Advertisement
Advertisement

Privacy Shield Offers Hope on EU-U.S. Data Transfer—For Now

Politicians in both the European Union and United States touted Tuesday’s agreement on a new “Privacy Shield” for EU-U.S. data transfers as a resolution to the data transfer quagmire that has faced companies since the EU-U.S. Safe Harbor was invalidated in October. While this new deal is a promising step in the right direction for companies that transfer data from the EU to the United States, there are still many questions about exactly what the requirements of the new Privacy Shield will be, how an American company can ensure compliance with those requirements and (perhaps most importantly) whether the European Court of Justice will validate the new rules.

Indeed, the deal heralded by politicians on both sides of the Atlantic appears to be only a high-level agreement—they expect to document the actual terms over the next few weeks (the Article 29 Working Party (WP29), the body made up of representatives of individual European Member States’ data protection authorities, has called for it to be fully documented by the end of February). Thus, we anticipate quite a bit more negotiation on the precise scope and language of the requirements. Meanwhile, WP29, which had been assessing data transfer mechanisms like standard contractual clauses and model contracts for possible flaws that would lead to enforcement actions, announced that it will not take enforcement actions based on its concerns about these mechanisms while it awaits the details of the new transfer deal.

For the moment, this is what we know about the primary elements of the Privacy Shield:

  • Increased monitoring and enforcement in the United States to be carried out by the Commerce Department and the Federal Trade Commission, including access for Europeans for judicial redress in the United States

  • Multiple channels for European data subjects to raise complaints about data misuse, including through the companies handling the data or through a newly created “privacy ombudsman for national security”

  • Commitments from the United States government about the increased safeguards and limitations to prevent access to transferred data by U.S. law enforcement and intelligence officials

  • Joint annual review of the Privacy Shield agreement

Again, though, it is by no means clear whether this new arrangement will meet with approval of European data protection authorities. Although WP29 has suspended enforcement for now, its leadership has expressed concerns about the enforceability of promises from the U.S. government (particularly the outgoing Obama administration) made only in an exchange of letters. And even if the data protection authorities approve, it is always possible that the Privacy Shield could be subject to a challenge in European courts by a concerned consumer—as was the Safe Harbor previously.

Assuming the Privacy Shield gets past these hurdles, it’s not yet clear as a practical matter what a company hoping to transfer EU data will need to do to comply. Presumably that will be spelled out more clearly when the full terms of the agreement are reduced to writing. Right now, most of the publicized details relate to additional restrictions and responsibilities imposed on the U.S. government. But, still, this is progress and we will continue to closely monitor the situation and report further as developments warrant.

© 2021 Vedder PriceNational Law Review, Volume VI, Number 36
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Blaine C. Kimrey, media defense Litigation, Vedder Price Law Firm Chicago Office
Shareholder

Blaine C. Kimrey is a Shareholder in the Litigation practice area in the firm’s Chicago office.

A former journalist at two daily newspapers (the Austin American-Statesman and the Arkansas Democrat-Gazette), Mr. Kimrey is a trial lawyer who has dedicated more than 20 years to working for and defending media entities. Mr. Kimrey’s practice, however, extends well beyond media defense, focusing on a broad range of direct and class action litigation involving topics as diverse as privacy, consumer deception, intellectual property,...

312-609 7865
Bryan Clark Media & Privacy Law  litigation Vedder Price Law Firm Chicago
Shareholder

Bryan Clark is an Associate at Vedder Price and a member of the Litigation group in the firm’s Chicago office.  He has an extensive media and privacy practice that includes privacy class action defense, mobile-marketing litigation, class action TCPA litigation, copyright litigation, right of publicity litigation, data breach response, FOIA issues, reporter’s privilege issues and prepublication review.

Mr. Clark’s other representative work includes drafting successful dispositive motions in right of publicity and invasion of privacy cases,...

312-609 7810
Advertisement
Advertisement
Advertisement