Negotiators from the European Commission and the United States have announced an agreement to replace the U.S.-EU Safe Harbor Framework for certain cross-border data transfers which was struck down last October by the European Union's Court of Justice. However, complete details of the agreement have not yet been made available, and significant hurdles remain before it can take effect.
Background
The European Commission's Data Protection Directive requires that countries to which the personal data of EU residents are transferred maintain adequate standards for data protection (to see a previous D&G Alert on data protection, click here). Over 15 years ago, the Safe Harbor program was put in place to enable the transfer of personal data from EU residents to companies in the United States in a manner that, it was expected, was in compliance with the EU standards.
Last October, however, the EU Court of Justice decided that U.S. national security and law enforcement requirements effectively prevailed over the Safe Harbor, giving the U.S. government the authority to interfere with the "fundamental rights of persons" to protect their personal data. The Court of Justice determined, therefore, that the Safe Harbor was invalid and it told the High Court of Ireland to decide whether a challenge to the transfer of personal data from Facebook Ireland Ltd. to Facebook USA, which had initiated the litigation, should be upheld and whether transfer of Facebook's European subscribers' personal data to the United States should be suspended.
Safe Harbor negotiations between EU Commissioners and U.S. representatives, which had begun well before the Court of Justice ruling, took on a new urgency as the parties sought to reach an agreement that would permit the transfer of EU residents' data to the United States to continue. At the same time, EU data protection authorities (DPAs) declared that, if by the end of January 2016, no appropriate solution was found, they were "committed to take all necessary and appropriate actions," including "coordinated enforcement actions."
The January 31, 2016 deadline passed with no agreement, but shortly afterwards the EU and the United States announced an agreement on a "new framework" for transatlantic data flows, referred to as the "EU-U.S. Privacy Shield."
Privacy Shield
Although the specific terms of the parties' agreement have not yet been made publicly available, the broad outlines of the new Privacy Shield appear to include the following elements:
U.S. companies wishing to import personal data from Europe will need to commit to "robust obligations" on how personal data is processed and individual rights are guaranteed.
Any company handling human resources data from Europe has to commit to comply with decisions by the European DPAs.
The U.S. Department of Commerce will ensure that companies publish their commitments, making them enforceable under the Federal Trade Commission (FTC) Act.
For the first time, the United States provided the EU with written assurances that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms and that these exceptions will be used only to the "extent necessary and proportionate."
The United States agreed to prohibit "indiscriminate mass surveillance" of personal data transferred to the United States under the new arrangement.
To regularly monitor the functioning of the arrangement, the parties agreed to an annual joint review, which also will include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and have agreed to invite national intelligence experts from the U.S. and European DPAs to the review.
Any EU citizen who considers that his or her data has been misused under the new arrangement will have several redress possibilities. Companies will have deadlines to reply to complaints. European DPAs can refer complaints to the U.S. Department of Commerce and the FTC. All parties agreed that alternative dispute resolution will be free of charge.
To handle complaints on possible access by national intelligence authorities, the United States will create a new Ombudsperson.
Next Steps
The EU authorities will be preparing a draft "adequacy decision" to be adopted by the EU Commissioners in the coming weeks, with input from the European DPAs and after consultation with a committee of representatives of EU Member States.
While that is happening, the U.S. government is taking action to put in place the steps it agreed to take, including the monitoring mechanisms and the Ombudsperson. Moreover, the U.S. Senate Judiciary Committee has approved a bill that would grant EU citizens access to U.S. courts to challenge improper use by the U.S. government of their personal data that has been transferred to this country. The bill requires resolution of the problems created by the Court of Justice's decision for it to take effect.
Despite these steps put into effect to address the situation, there already are questions being raised about the agreement. For example, the European DPAs have demanded a fuller explanation of the terms of the agreement by the end of February so that they can evaluate its effectiveness and determine if it complies with the European Commission's Data Protection Directive. Other objections to the agreement may very well be raised by individuals and European privacy groups.
Bottom Line
As with any negotiation, there are bound to be critics on both sides of the spectrum, and the new Privacy Shield has no shortage of critics. However, most parties agree that something must be done to balance the interests of EU citizens and the commercial needs of companies on both sides of the Atlantic. Some regulators have agreed to another respite until the end of February, in order to consider this deal, even though full implementation of the program will likely take longer. Other means of complying with the Data Protection Directive should continue to be considered. Meanwhile, companies that are involved in the transfer of EU personal data to the United States must watch developments in order to determine how to comply with the new Privacy Shield.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
