On February 2, 2016, the European Commission announced that it reached a deal to replace the EU-US Safe Harbour framework that was declared invalid last year by the Court of Justice of the European Union (CJEU). Referred to as the “EU-US Privacy Shield”, the new framework should provide businesses with guidance for the safe transfer of personal information of citizens of the European Union (EU) to the United States.
The CJEU declared the old Safe Harbour framework invalid on October 6, 2015. Under the EU Data Protection Directive, the personal information of EU citizens can only be transferred from the EU to countries with adequate data protection standards. The old Safe Harbour agreement, negotiated between the European Commission and the United States Department of Commerce, was one of a number of mechanisms available to EU businesses to ensure there was an adequate level of protection when transferring personal data of EU citizens to the United States. One of the CJEU’s primary concerns with the old framework was the massive and indiscriminate surveillance of personal information of EU citizens in the United States, which was viewed as incompatible with the “fundamental rights” of EU citizens.
Regulators provided a grace period ending January 31, 2016 for the negotiation of a new agreement, during which European Data Protection Agencies would not pursue penalties against businesses improperly transferring personal information of EU citizens from the EU to the United States.
Features of the New Framework
While the terms of the new agreement have not been settled, the European Commission released some details of the EU-US Privacy Shield.
- Obligations on businesses in the United States with respect to personal information of EU citizens and enforcement mechanisms: Similar to the original Safe Harbour, businesses in the United States will need to commit to obligations regarding how personal information will be processed and how individual rights will be guaranteed. The Department of Commerce will ensure that businesses publish their commitments and the Federal Trade Commission will be enforce these commitments.
- Transparency and safeguards relating to United States government access: The United States government has given assurances that personal information of EU citizens transferred to the United States will not be subject to government mass surveillance programs, and that access to such personal information for law enforcement and national security purposes will be subject to limitations, safeguards and oversight mechanisms.
- Remedies: Companies operating under the new framework will have deadlines to reply to complaints. European data protection authorities may refer complaints to the Department of Commerce and the Federal Trade Commission. Any dispute resolution mechanisms offered under the EU-US Privacy Shield will be free of charge. For complaints relating to possible access by national intelligence authorities, EU citizens may issue a complaint with a new dedicated ombudsperson based in the United States.
The European Commission must prepare an adequacy decision to approve the EU-US Privacy Shield as a valid data transfer mechanism under the EU Data Protection Directive, which is expected to take several weeks. Once prepared, the adequacy decision must be adopted by the College of EU Commissioners after receiving and considering the advice of the Article 29 Working Party. Authorities in the United States will need to take various actions, including establishing the ombudsperson and implementing monitoring mechanisms.