The European Commission has announced that it has reached a deal to replace the EU-US Safe Harbor framework that was declared invalid last year by the Court of Justice of the European Union (“ECJ”). Heralded as the EU-US Privacy Shield (and colloquially referred to as, “Safe Harbor 2.0”), the framework should provide companies with clearer direction on safe transatlantic data transfer.
Although it has been approved on both sides of the Atlantic by the Commission and the US Department of Commerce, organizations should remain cautious for the time being, as steps now need to be taken to formally implement it. The main features of the framework are as follows:
Obligations on companies handling Europeans’ personal data and robust enforcement: In a similar vein to the original Safe Harbor, companies in the US will need to commit to EU-style obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will ensure that companies publish their commitments and the Federal Trade Commission will be empowered to enforce these commitments.
Safeguards and transparency obligations on US government access: The US has given written assurances that data transferred to the US will not be subject to government mass surveillance programs, and that access to data by public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. To monitor the functioning of the arrangement, the Commission and the Department of Commerce will conduct an annual joint review.
Protection of EU citizens’ rights with several redress possibilities: Companies operating under the new framework will have deadlines to reply to complaints. European Data Protection Authorities can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, any alternative dispute resolution offered under the new framework will be free of charge. For complaints relating to possible access by national intelligence authorities, Europeans can raise an enquiry or complaint with a new dedicated US Ombudsperson.
Next Steps: This story is far from over. The Commission must still prepare an adequacy decision, the legal document which approves the so-called EU-US Privacy Shield as a valid data transfer mechanism under the European Data Protection Directive. It is expected that the draft will take several weeks to produce. Once prepared, the draft must be adopted by the College of EU Commissioners after taking the advice of the Article 29 Working Party (an advisory body consisting of EU national data protection supervisory authorities) and consulting with representatives of the EU Member States. It is unclear at this stage how long this process will take and what changes to the framework, if any, will be required. The US authorities will also need to take certain preparatory steps, including implementing monitoring mechanisms and establishing the Ombudsperson to assess complaints on access to personal data by the US national intelligence authorities.
At this time, the agreement is at a high level and until a draft proposal is released it is not clear how the protections will work in practice. Moreover, some privacy advocates have expressed concern that the proposed framework does not go far enough to assuage European data privacy concerns and that more protections may be needed before the Privacy Shield framework is finalized. It is in any case likely that the program will soon have to pass its test before the European Court of Justice. Even in the best case scenario, it will be some time before businesses can rely on it to transfer data to the US. In the meantime, if you are based in the US, expect your EU based customers to continue to seek alternative solutions for their transfers of personal data to you. If you are based in the EU, you will need to continue to assess your data transfers to the US and use an alternative solution to ensure personal data are adequately protected (such as EU Model Clauses). You can read about the alternative solutions in our previous post on US–EU Safe Harbor.
 German Federal Data Protection Commissioner already called for a thorough review, PM of 02 02 2016, bfdi.bund.de/DE/Infothek/Pressemitteilungen/2016/03.