U.S. and EU Agree to New “Privacy Shield” Framework to Replace Safe Harbor
Following months of negotiations and just after the deadline to reach a new deal had passed, the U.S. and the EU have agreed to a new framework for transatlantic data transfers.
The new framework, dubbed the EU-U.S. “Privacy Shield,” will replace the Safe Harbor agreement, which was invalidated in October 2015 by Europe’s highest court in the landmark Schrems
Many in the technology industry have welcomed news of the agreement, but some legal observers and privacy advocates have suggested that Privacy Shield may eventually face legal challenges for failing to adequately protect the privacy rights of EU citizens. While the final agreement remains to be completed, key components of the new Privacy Shield framework have now been made public and are discussed in further detail below.
Key features of the Privacy Shield agreement announced yesterday include:
1. Commitments by Companies to Robust Data Protection.
U.S. companies participating in the new framework will be required to commit to robust obligations regarding the processing of personal data from Europe. Companies handling human resources data from Europe will be further required to agree to comply with the decisions of the Data Protection Authorities (“DPAs”) of the various EU member states.
2. FTC Enforcement
. The Federal Trade Commission (“FTC”) will have enforcement authority regarding U.S. companies’ compliance with the new framework, just as it did with the old Safe Harbor agreement. The U.S. Department of Commerce will have overall responsibility for monitoring companies’ compliance with the Privacy Shield framework.
3. Redress for EU Citizens
. EU citizens who believe that their data has been misused by a U.S. company will have several avenues of redress. For example, DPAs may refer EU citizen complaints to the Department of Commerce and the FTC. In addition, a new Ombudsperson will be established to handle complaints of access to personal data by national intelligence authorities.
4. Restrictions on U.S. Government Surveillance.
Access to EU personal data by U.S. law enforcement and national security authorities will be subject to clear limitations and oversight, and the U.S. has provided the EU with written assurances to this effect. The absence of such protections was a key factor in the Schrems
decision that invalidated the Safe Harbor agreement. The European Commission and the U.S. Department of Commerce will conduct annual joint reviews regarding the issue of national security access.
In the coming weeks, further details regarding the Privacy Shield framework should emerge. Meanwhile, additional guidance may be forthcoming from the Article 29 Working Party, which is an EU advisory body on data protection issues. The Working Party, which previously announced that EU DPAs would consider taking coordinated enforcement actions if no deal was reached by the end of January, is meeting this week and is expected to address the status of transatlantic data transfers and the new Privacy Shield framework. In the longer term, some legal observers and privacy advocates expect the new agreement to be challenged in court for failing to adequately protect the privacy rights of EU citizens. Therefore, while the new framework is an encouraging step, companies engaged in transatlantic data transfers should continue to carefully consider their legal strategies, including alternative mechanisms such as Model Contract Clauses and Binding Corporate Rules.
Ice Miller’s Data Security and Privacy Practice advises clients on international data transfers and international data protection compliance. Nick Merker, a former systems, network, and security engineer, is a co-chair of Ice Miller’s Data Security and Privacy Practice and speaks frequently on international data transfers in the United States and abroad. Merker can be reached at email@example.com
or (312) 726-2504. Eric McKeown, a former software developer, is a member of Ice Miller's Data Security and Privacy Practice. McKeown can be reached at firstname.lastname@example.org
or (317) 236-2124.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.