On Monday, October 26, European Union Justice Commissioner Věra Jourová delivered a speech before the European Parliament in which she noted that the European Union and the United States had agreed “in principle” on a new framework to govern transatlantic data transfers.  The details will be fleshed out during “intensive technical discussions” in the coming weeks, and possibly finalized when Commissioner Jourová travels to Washington, D.C. in mid-November for direct talks with Commerce Secretary Penny Pritzker.

While those details remain to be seen, Commissioner Jourová underscored the need for “effective detection and supervision mechanisms” by U.S. authorities and noted that the United States has committed to stronger oversight of the Safe Harbor program to “transform the system from a purely self-regulating one to an oversight system that is more responsive as well as pro-active and back[ed]-up by significant enforcement including sanctions.” 

In addition, Commissioner Jourová stated that the agreement with the United States would likely include an annual joint review mechanism to assess “all aspects” of the new framework, including law enforcement and national security exemptions.  While noting that U.S. government surveillance was the “biggest challenge” in the Schrems decision, Commissioner Jourová emphasized that progress has been made on this front, including the passage of the USA Freedom Act, recent executive orders on intelligence operations, and the legislative effort to extend judicial protection to EU citizens under the Privacy Act of 1974. 

Implications

While this is far from a fully-fledged “Safe Harbor 2.0,” it is a significant step towards a framework to support the transatlantic data flows of the more than 4,000 U.S. companies that relied on the first Safe Harbor program to offer services to EU citizens.

While the announcement is cause for optimism among U.S. companies that are adherents, until the details are worked out many companies will continue to explore model contracts, binding corporate rules, and additional mechanisms to ensure the legality of their data processing.  Moreover, large enterprises will increasingly scrutinize their vendors and suppliers.  In any event, for the near future uncertainty and heightened enforcement risk seem inevitable, with data protection continuing to be an important issue for EU regulators.