On Feb. 2, the European Commission and the United States announced an agreement on a new framework for transatlantic data flows. The EU-US Privacy Shield will replace the Safe Harbor framework that was invalidated by the October 6 Schrems decision by the European Court of Justice.
Details of the framework remain to be drafted, but the Privacy Shield aims to address the concerns about the adequacy of U.S. protection of EU personal data raised by the Schrems decision by: (i) imposing stronger obligations on U.S. companies handling Europeans’ personal data; (ii) providing transparency in U.S. government access, and (iii) requiring stronger monitoring and enforcement by U.S. regulators.
The formal draft of the new framework will be prepared and released in the coming weeks, but three elements of the agreement were outlined in the press release announcing the agreement:
-
Obligations on companies handling Europeans’ personal data: U.S. companies wishing to import personal data from Europe will face stronger obligations to protect the personal data and individual rights of Europeans and enhanced enforcement and monitoring by the Department of Commerce and the Federal Trade Commission.
-
Safeguards and transparency on U.S. government access: According to the release, the U.S. has given the EU written assurances that there will be limitations on access of data by public authorities for national security and law enforcement purposes. In addition, the United States has stated that there will not be mass surveillance on personal data transferred to the United States under the new arrangement. There will be an annual joint review to monitor the functioning of the arrangement, which includes the issue of access for national security reasons.
-
Redress opportunities for EU citizens: Under the Privacy Shield, any citizen who believes that their data has been misused will have several opportunities for redress. Companies processing personal data will be required to reply to complaints within set deadlines, and European Data Protection Authorities will be able to refer complaints to the U.S. Department of Commerce and the Federal Trade Commission. These remedies include free alternative dispute resolution and arbitration as a matter of last resort for EU citizens.
At the press conference announcing the agreement, EU Commissioner Jourová expressed hope that the Privacy Shield will be implemented within the next three months. The European Commission will be working to complete the draft agreement, after consultation with the member states and the working party, while the United States will be putting in place the appropriate compliance structure for the Privacy Shield.
While the announcement of the framework is a positive step toward clarifying the legal requirements for data transfers between the United States and the EU, the Privacy Shield may still face legal hurdles as concerns persist about guaranteeing the rights of European citizens.
It remains unclear how U.S. companies should proceed following yesterday’s announcement, as the Privacy Shield still faces many hurdles before it can be implemented. Tuesday’s announcement did not provide guidance to the roughly 4,500 companies previously certified under the Safe Harbor framework or the countless other U.S. companies seeking to transfer data from Europe.
Goodwin Procter’s privacy and cybersecurity team will continue to monitor the developments and provide updates as they become available.
