February 10, 2016

From Safe Harbor to Privacy Shield: New EU-U.S. Agreement for Transatlantic Data Flows

Alan Kaplinsky, Daniel McKenna, Roshni Patel, Philip Yannella

Ballard Spahr LLP

+ Follow Contact

Send

Embed

The European Commission (EC) and the U.S. Department of Commerce have reached an agreement to create a framework for transfers of personal data from the European Union to the United States. The framework, named the EU-U.S. Privacy Shield, will replace the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union in October 2015.

The Privacy Shield, announced February 2, 2016, will be composed of four key components:

Strong obligations on companies handling Europeans' personal data and robust enforcement: Companies that commit to the Privacy Shield must commit to ''robust obligations'' on personal data collection and processing and guarantee individual rights. These commitments will be published and enforced by the Federal Trade Commission (FTC). Companies handling human resources data from the EU must also commit to complying with decisions by EU Data Protection Authorities (DPAs).
Clear safeguards and transparency obligations on U.S. government access: The United States has given the EU written assurances that access by law enforcement and national security officials to personal data will be subject to clear limitations, safeguards, and oversight mechanisms. Any access to data must be necessary and proportionate to the need for such access. The United States has agreed not to conduct indiscriminate mass surveillance on the personal data transferred to the country.
Annual joint review: The EC and the Commerce Department will conduct an annual review in order to monitor the functioning of the Privacy Shield. The review will include the issue of national security access.
Effective protection of EU citizens' rights with several redress possibilities: Citizens who believe their data has been misused will have several redress possibilities, including alternative dispute resolution without charge. Companies will have deadlines to reply to any complaints, and European DPAs can refer complaints to the U.S. Commerce Department and the FTC. To address any complaints of access by national intelligence authorities, the United States will create a new ombudsperson position.

Statement of the Article 29 Working Party on the Consequences of the Schrems Judgment

Following the announcement of the Privacy Shield, the Article 29 Working Party (WP29), an entity entrusted with promoting uniform application of the Data Protection Directive throughout the European Economic Area and giving the EC an opinion on community laws affecting the right to protection of personal data, released a statement on February 3, 2016, regarding the Privacy Shield and the transfer of personal data following the Schrems decision. The WP29 emphasized that there must be four essential guarantees for intelligence activities that are respected whenever personal data is transferred from the EU to the United States and to other countries:

Processing should be based on clear, precise, and accessible rules. Anyone who is reasonably informed should be able to foresee what might happen with personal data once it is transferred.
Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated. There must be a balance between the objective for which data is collected and accessed (generally national security) and the rights of the individual.
An effective, impartial, and independent oversight mechanism should exist. The mechanism can be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks.
Effective remedies need to be available to the individual. Anyone should have the right to defend his or her rights before an independent body.

The WP29 stated that it will analyze the Privacy Shield to ensure it meets with these guarantees. The WP29 noted that it still has concerns about the U.S. legal framework, despite the progress the United States has made since 2014. It will also evaluate how current mechanisms for data transfers to the United States—Model Contractual Clauses and Binding Corporate Rules—offer appropriate guarantees.

Long Road Ahead

Despite the wide publicity the announcement of the Privacy Shield received, there is still a long way to go before it becomes enforceable. In the coming weeks, the EC will draft an adequacy decision and will then send the decision, along with supporting materials, to the WP29 for consideration. The College of EU Commissioners will then need to adopt it, taking into consideration the opinion of the WP29 and consulting with a committee composed of representatives of the member states. It is likely that this process will take at least several months. In addition, certain steps are still expected to be completed on the part of the United States, including the passing of the Judicial Redress Act and the appointment of the ombudsperson.

Even if finalized, the Privacy Shield will likely meet with legal challenges. Notably, Max Schrems has already stated that, depending on the final language of the Privacy Shield, he may bring such a challenge before the court. In addition, after January 31, the unofficial deadline imposed for reaching an alternative solution to the data transfers had passed, the data protection authorities of the EU member states may commence enforcement against companies that are still relying on the invalidated Safe Harbor for their transfers.

Companies who need to transfer personal data from the EU to the United States should continue to assess their transfers with a view to minimizing the scope of the transfer and finding appropriate transfer mechanisms.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.