European Commission Announces Forthcoming EU-US Privacy Shield Agreement
On Tuesday, February 2, 2016, European and American officials announced that an agreement has been reached to replace the now-defunct Safe Harbor rules. This agreement, coming two days after the deadline originally set by national privacy agencies in Europe, should prevent regulators from the European Union from restricting data transfers by companies.
As we previously reported, the Court of Justice of the European Union (CJEU) ruled this past fall that the EU-US Safe Harbor for personal data transfers did not provide adequate protection of personal data and was thus invalid. This ruling created uncertainty for American companies which relied on the EU-US Safe Harbor to transfer data across the Atlantic without violating EU regulations.
In a press release on Tuesday, the European Commission announced that the European Union and United States have reached an agreement on a new framework for transatlantic data flows, called the “EU-US Privacy Shield.” Three critical components of this agreement were outlined in the press release.
First, under the new arrangement, U.S. companies will have stronger obligations to protect the personal data of European citizens, which will be monitored by the Department of Commerce and Federal Trade Commission. Specifically, the press release states that the Department of Commerce will monitor companies which publish their commitments, which makes these commitments enforceable under U.S. law by the Federal Trade Commission. Additionally, any company handling human resources data from Europe has to comply with decisions by European Data Protection Authorities (DPAs).
Second, the press release states that there will be “clear safeguards and transparency obligations” on how U.S. law enforcement and national security agencies access the personal data of European citizens. The United States will not be permitted to conduct mass indiscriminate surveillance of personal data of Europeans that is transferred to the United States. The European Commission and the Department of Commerce will conduct an annual review of this aspect of the agreement.
Third and finally, the agreement provides avenues of redress for European citizens who believe that their data has been misused. Companies will have deadlines to reply to complaints and the Department of Commerce and Federal Trade Commission will monitor complaints referred to them by European DPAs. Alternative dispute resolution procedures will be made available free of charge. Additionally, an ombudsman will be appointed to receive complaints regarding access by national intelligence authorities.
The agreement has not yet been finalized, and no text of the agreement has been released. However, on Wednesday, the Article 29 Working Party, made up by representatives of each individual member state’s DPAs, announced that it will not be taking enforcement action against American companies that use alternative transfer mechanisms, such as obtaining “unambiguous consent” as described in Directive 95/46 and using “intragroup transfers” under the Binding Corporate Rules (BCRs), as an alternative to the Safe Harbor parameters. The Working Party also reiterated that those which are continuing to function under the “safe harbor” rules may still face enforcement action.
Still, the Working Party was cautious in its comments. The Working Party’s president, Isabelle Falque-Pierrotin, explained to the press the importance of having the opportunity to analyze the terms of the agreement in writing, warning that it was necessary to review the documentation in order to fully assess whether the concerns about privacy were satisfactorily addressed.
Companies that do business in the EU, including those receiving information regarding customers or human resources, should continue to monitor and evaluate the company’s use of personal data. Companies that are using alternative compliance methods for transatlantic data transfers should continue to do so and monitor any new information on the EU-US Privacy Shield as it becomes available. However, companies that continue to operate using the parameters set forth by the “safe harbor” rules should immediately take action to make sure that any transfers of data are complaint with the EU laws.
For questions about cybersecurity, please contact Josh Mooney (firstname.lastname@example.org; 215.864.6345), Jay Shapiro (email@example.com; 212.714.3063), Laura Schmidt (firstname.lastname@example.org; 215.864.6333) or any member of our Cyber Law and Data Protection Group.