After months of negotiations, senior EU and U.S. officials announced agreement this week on a new EU-U.S. Privacy Shield to replace the Safe Harbor Framework previously relied upon by more than 4,400 U.S. companies to transfer the personal data of EU citizens to the U.S. Until it was invalidated by the EU Court of Justice last fall, the Safe Harbor Framework had functioned as a means for those companies that had self-certified to the Safe Harbor principles to legally transfer such data. As we reported in previous articles (Is the Future of the Safe Harbor Safe? and Post Safe Harbor – What’s Next?), in the wake of the Edward Snowden revelations, the Safe Harbor Framework was challenged before the EU Court of Justice as not providing adequate protection for data on EU citizens that was transferred to the U.S. The Court invalidated the Framework, finding that it provided inadequate protection, and threw into question the other data transfer mechanisms to the U.S. as well. The primary criticisms concerned the lack of judicial redress in the U.S. afforded to EU citizens for misuse of their data and the lack of transparency over the data-gathering activities of U.S. intelligence agencies in relation to EU data.
The details of the agreement have not yet been made public, although the announcement identified the following components:
- EU citizens will have a right of redress in the U.S.
- U.S. assurance that any surveillance on EU citizens will be limited and proportionate.
- Establishment of an “ombudsman” position in the State Department to help address EU citizens’ surveillance concerns.
- Annual joint review of the Shield.
The EU College of Commissioners has approved the agreement. The Article 29 Working Party (WP), which is comprised of European Data Protection regulators, must still review and advise the College on the legality of the Privacy Shield in connection with an “adequacy decision” the College will have to adopt. The WP announced that it needs to see the detail of the new arrangement to issue its full assessment.
Additionally, according the Department of Commerce, the U.S. will have to make the necessary preparations to implement the new Privacy Shield, including monitoring commitments and the role of the ombudsman. It has promised it will soon hold briefings on the new obligations of U.S. companies, but provided few additional details.
Both sides expressed confidence that that the new Privacy Shield would withstand the scrutiny of the European Court of Justice, and emphasized that that it is a living agreement that will have to undergo continuous review.
In the meantime, binding corporate rules and standard contractual clauses continue to be the alternative mechanisms for cross-border data transfer considered valid by the WP. We will continue to monitor the requirements as they are announced, and whether the Privacy Shield is deemed by the WP to satisfy the requirements of EU law, expected later this spring.
For more information, please contact Jane Hils Shea in Frost Brown Todd’s Privacy and Information Security Law Practice.