On February 2, 2016, the European Commission and the U.S. Department of Commerce announced a new framework to govern the transfer of data from the EU to the United States, referred to as the EU-U.S. “Privacy Shield.” The new protocol is intended to replace the 15-year-old Safe Harbor agreement that the European Court of Justice struck down in October, on the grounds that it failed to adequately protect the privacy rights of EU citizens.
Additional details about the new framework will be finalized in the next several weeks, but at a high level, the agreement contemplates much stronger protection of data privacy rights as compared to the old Safe Harbor regime. This heightened protection will come from more rigorous enforcement of data privacy rules by U.S. and EU authorities, and multiple additional avenues of redress for individuals claiming violations of their rights. Here are some key aspects of the new accord:
- U.S. companies seeking to import data from the EU must make robust data protection commitments, and publish those commitments to enforcement officials. Any company transferring personal human resources data must agree to comply with decisions issued by EU data protection authorities.
- Monitoring and enforcement in the U.S. will be carried out by the Department of Commerce and the Federal Trade Commission, which have agreed to cooperate with European data protection authorities on complaints.
- The U.S. will commit to safeguards to ensure that government surveillance of transferred data is significantly limited to that which is necessary and proportionate, and subject to strict oversight.
- Europeans will be able to raise complaints about alleged data misuse through eight different channels, including a newly created privacy ombudsperson in the U.S. Department of State that will handle complaints related to government access to transferred data. Companies will have deadlines to respond to complaints, and alternative dispute resolution will be provided free of charge to consumers.
- The agreement will undergo a joint EU-U.S. review every year, which will allow officials to monitor the functioning of the protocol and make necessary changes.
The Privacy Shield agreement is not immediately effective, however—and the possibility remains that it will not take effect at all. First, the EU member states and their data protection authorities have an opportunity to provide input on the viability of the framework to the EU College of Commissioners, which ultimately must approve the agreement. Data protection regulators have requested additional details and documents about the framework by the end of February, and the process of review and approval by the College of Commissioners will not likely conclude until April. Also, experts expect that the Privacy Shield may be challenged in an EU court, which could further delay its implementation.
So in the meantime, organizations looking to transfer data from the EU to the U.S. must rely on alternate approaches, such as binding corporate rules and model contract clauses. But hopefully the Privacy Shield will soon provide a much-needed mechanism for companies to move information across the Atlantic with confidence that the transfers are legally sanctioned, and adequately protect the privacy rights of individuals.