News broke late February 2, 2016 that the United States and the European Union Commission have agreed upon a revised and updated version of the U.S.-EU Safe Harbor, providing a new framework for transfers of personal data from the EU to the U.S. The updated framework has been re-branded as the EU-U.S. "Privacy Shield". The framework potentially provides a mechanism to avoid a significant disruption in digital commerce.
This development came as a surprise to some, as it had appeared that an agreement would not be finalized close to the January 31, 2016 deadline set by the Article 29 Working Party, which represents Data Protection Authorities across all EU Member States. Following the European Court of Justice's decision invalidating the Safe Harbor, the Working Party indicated that coordinated regulatory enforcement against businesses relying on Safe Harbor to transfer personal data from the EU to the U.S. would not begin until January 31. Less surprising is that the agreement reached so far is only "in principle." While we have some indication of the key points agreed to at a high-level, the finalized framework is still some way off. Before taking effect, the new Privacy Shield will require additional steps in the U.S. to implement agreed upon regulatory and legislative changes and another EU Commission "adequacy decision".
Formal press releases and statements from the various government agencies are available as follows:
Here is what we know so far, together with our initial thoughts on the issues.
U.S. Businesses' Compliance: stronger commitments and more robust enforcement
U.S. Government Access: safeguards and transparency
The U.S. Government has given the EU written assurances that access by public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. In particular:
The U.S. will not conduct mass or indiscriminate surveillance of personal data transferred from the EU to the U.S. under the Privacy Shield, and access will be only to the extent necessary for, and proportionate to, the requirements of national security. This is a dramatic commitment and goes to the heart of the major concerns raised by the European Court. If the detailed commitments echo the general sentiment, this should be reassuring not just for EU residents, but also for U.S. businesses that have their own concerns about such surveillance.
The arrangement will be regularly monitored by an annual joint review, to include the issue of national security access and be carried out by the European Commission and the U.S. Department of Commerce (with U.S. national intelligence experts and European Data Protection Authorities invited). This appears to demonstrate a strong commitment on both sides of the Atlantic to collaborate, and for the European Court’s major concern to be addressed not only by stated U.S. governmental commitments, but also by openness about the process of complying with those commitments.
EU Citizens' Rights: redress possibilities
We are still looking at several weeks at the very least for the new Privacy Shield itself to be formalized. On the EU side, the European Commission's adequacy decision is expected to be drafted in the coming weeks, and, assuming the finer details can be agreed, adopted soon after in consultation with the Article 29 Working Party and representatives of the EU Member States. The Working Party has called on the European Commission to provide it with the final documents for the Privacy Shield by the end of February 2016. Given that it will take some time for the Working Party to complete its assessment, it is unlikely that the Privacy Shield will be implemented before late March 2016 at the earliest. While in the U.S., preparations are expected to begin in order to put in place the new Privacy Shield, monitoring mechanisms and new Ombudsperson.
Concluding thoughts and wider context
However large a movement this "in principle" agreement is towards formalization of a new framework, there is no doubt that it is a positive step towards some kind of transatlantic compromise and accord on an issue which has been of great concern to many international businesses, especially over the last few months. Of course the timing and practicality of the Privacy Shield itself is the all-important next step.
As it did following the European Court ruling regarding Safe Harbor, the Working Party has again referenced its ongoing analysis of the robustness of other mechanisms used to transfer data from the EU to the U.S. such as Standard Contractual Clauses and Binding Corporate Rules, and it is clear that it continues to recognize the potential impact of the European Court's reasoning on those other mechanisms.Having set out its four "essential guarantees for intelligence activities", which the Working Party stresses "should be respected whenever personal data is transferred from the EU to the U.S.", it promises to "analyse to what extent this new arrangement will provide legal certainty for the other transfer tools". With this in mind, the new Privacy Shield, and the underlying regimes supporting it, become all the more crucial to resolving the ongoing debate and uncertainty surrounding transatlantic data flows.
As for litigation, whether the new Privacy Shield will quickly lead to new legal challenges remains to be seen. Data Protection Authorities in individual EU Member States certainly are still entirely free to investigate the extent to which data transfers, pursuant to schemes such as Safe Harbor or the Privacy Shield, actually comply with applicable data privacy laws. This, as the Schrems decision made clear, is the case regardless of any EU Commission decision declaring such schemes to provide adequate protection, so the door remains open for further litigation on this issue, even once the new Privacy Shield is in place.
Therefore, while news of the Privacy Shield is promising, multi-national businesses should continue to monitor these developments closely.
 - C-362/14 Maximillian Schrems v Data Protection Commissioner  - Similar to the EU Commission's original adequacy decision (Commission decision 2000/520/EC) which recognized Safe Harbor as providing adequate protection for transfers of data from the EU to the U.S.  - EU-U.S. Privacy Shield, Department of Commerce Fact Sheet, February 2, 2016  - EU-U.S. Privacy Shield, Department of Commerce Fact Sheet, February 2, 2016  - Uniform Domain-Name Dispute-Resolution Policy  - See Statement of the Article 29 Working Party, October 16, 2015  - In its Statement in response to the Privacy Shield, February 3, 2016  - "(A) Processing should be based on clear, precise and accessible rules; (B) Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated; (C) An independent oversight mechanism should exist, that is both effective and impartial; and (D) Effective remedies need to be available to the individual."