Agreement “In Principle” On New US-EU Safe Harbor Pact —The European Union announced on October 26, 2015, that it had reached an agreement “in principle” with the United States on a new transatlantic data-sharing pact—though a final agreement between the parties is likely still months away. The announcement from European Union Commissioner Věra Jourová came less than one month after the European Court of Justice (“ECJ”) invalidated the original Safe Harbor agreement between the US and the EU on October 6, 2015.

The ECJ’s landmark decision, Schrems v. Data Protection Commissioner (C-362/14), invalidated the Safe Harbor as a legal justification for transferring personal information from the EU to the United States.  Under theSafe Harbor agreement, US companies self-certify that they comply with more stringent EU data protection standards so as to allow the free transfer of European data to the United States. It is estimated that in the 15 years the Safe Harbor agreement has stood, more than 5,000 companies have relied on it to transmit data to the United States from EU member states. According to the ECJ, data stored on US servers does not meet EU standards, largely due to the US government’s national security programs, which are alleged to involve mass surveillance.

In her October 26, 2015 announcement, EU Commissioner Jourová praised steps the United States has already taken to reform data-storage security, such as the passage of the USA Freedom Act on June 2, 2015, which ended some of the US government’s controversial surveillance practices. According to Jourová, the new agreement will include greater oversight measures, transforming a largely reactive system into one that is more proactive. The United States has committed, according to the announcement, to stronger oversight by the US Department of Commerce, directing complaints to the US Federal Trade Commission, and additional cooperation with European data-regulation authorities. Moreover, the new agreement will likely include more enforcement and transparency measures, including sanctions and an annual review to ensure compliance by the US government. The EU would also like to see the enactment of US legislation that would permit European consumers to seek redress for personal data misuse by US companies.

Although the announcement by the EU Commissioner indicates progress toward a new deal, Jourová also said that the parties are “still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the court.” In the meantime, US companies continue to face uncertainty related to international data transfers. 

King & Spalding previously reported on this topic in an October 7, 2015 Client Alert titled The Post-Safe Harbor Era Begins: What In-House Counsel Needs to Know.

Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, blangner@kslaw.com.