United States and European Union Commission negotiators announced today that they have reached a political agreement on a new data transfer framework that will replace the Safe Harbor Program, which was invalidated in 2015 by the European Court of Justice (ECJ). While the details of the new framework – dubbed the "EU-US Privacy Shield" – are vague, stakeholders on both sides of the Atlantic are hopeful that the new deal will provide a legally-supportable mechanism for data transfers of personal information. The new framework will necessitate that companies re-examine their data transfer practices, including transfers of personal information of employees residing in EU Member States.
On October 6, 2015, the ECJ invalidated the U.S.-EU Safe Harbor Program, which allowed U.S. companies to transfer EU citizens' personal data to the U.S. if the companies self-certified to the U.S. Department of Commerce compliance with privacy principles similar to those contained in the EU Data Protection Directive. Click here for more background.
The EU-U.S. Privacy Shield reportedly will reflect the requirements set out by the ECJ in its October 6 ruling. For instance, the new framework will impose stronger obligations on U.S. companies to protect the personal data of Europeans coupled with more robust monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities (DPAs).
A significant privacy concern for the EU has been the ability of the U.S. government to access personal information for national intelligence purposes. To address this concern, the U.S. has reportedly given written assurances, for the first time, that "access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms." The U.S. has assured the EU Commission that "it will not conduct mass or indiscriminate surveillance of Europeans." To this end, the EU-U.S. Privacy Shield framework will include a dedicated Ombudsperson to address inquiries or complaints from EU citizens regarding the handling of their data.
The EU Commission press release highlighted the following elements:
(1) Strong obligations on companies' handling of Europeans' personal data and robust enforcement. U.S. companies that transfer data from Europe will be required to comply with robust obligations on how personal data is processed and how individual privacy rights are guaranteed. The U.S. Department of Commerce will monitor companies utilizing the EU-U.S. Privacy Shield and require them to publish their privacy obligations and commitments. Failure to abide by their published commitments will make the company subject to enforcement by the FTC. Any company transferring employment data from the EU must also commit to comply with decisions by European DPAs.
(2) Clear safeguards and transparency obligations on U.S. government access. As noted above, the U.S. has given the EU written assurances that access by public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. While the U.S. has agreed not to engage in mass and indiscriminate surveillance, the EU and U.S. appear to have agreed that the U.S. may engage in surveillance that is "necessary and proportionate." The EU and the U.S. Department of Commerce will annually review the functioning of the new framework including these surveillance safeguards and transparency requirements. Intelligence experts from the U.S. and the DPAs will be invited to participate in the annual review.
(3) Protection of EU citizens' rights and opportunities for redress. Any citizen who is concerned that their data has been misused under the new arrangement will have several avenues for remediation. Companies will be obligated to meet deadlines in response to complaints by individuals. European DPAs can refer complaints to the Department of Commerce and the FTC. The newly created Ombudsmen will address complaints involving access by national intelligence authorities. In addition, the framework will provide for an Alternative Dispute Resolution process that will be free of charge to individuals.
Next steps:
The EU regulators will be preparing a draft "adequacy decision" in the next few weeks, which would then work through a process to be approved by all the Member States. In the meantime, the U.S. government will begin to implement the requirement of a new framework, including putting monitoring mechanisms into place and identifying the Ombudsperson.
As the EU and U.S. develop the details of the new framework, companies should take stock of the mechanisms they have in place governing data transfers from Europe and consider a plan to develop and implement appropriate new policies and procedures to address the requirements of the EU-U.S. Privacy Shield framework.
For more information about how this issue may affect your business or related matters, please contact any member of the Firm's Privacy and Information Security Team.