United States: United States And European Union Agree On New Safe Harbor For Data Transfers

Since October 6, 2015, when the European Court of Justice held that the longstanding United States – European Union Safe Harbor Framework was invalid as not providing adequate protection for the personal data of European residents, there has been substantial uncertainty about whether U.S. businesses that relied on the Safe Harbor Framework would be subject to costly enforcement actions by national data protection authorities in Europe. 

That uncertainty has been lifted with the announcement yesterday by the European Commission that E.U. and U.S. negotiators have reached a broad agreement for a replacement safe harbor regime, which is being referred to as the E.U.-U.S. Privacy Shield.

Background

Shortly after the adoption in 1995 of the European Union's Data Protection Directive (the "Directive"), the U.S. Department of Commerce reached agreement in 2000 with European Union officials for the implementation of the U.S.-E.U. Data Privacy Safe Harbor Framework.  The Safe Harbor Framework allowed U.S. businesses that processed personal data of European individuals (called data subjects) to self-certify such compliance with a set of comprehensive privacy principles designed to ensure that the U.S. business provided privacy protections that were intended to be roughly equivalent to those provided under the Directive.  By complying with the Safe Harbor, U.S. businesses were able to avoid the stricter requirements for data privacy protections mandated under the Directive and the national laws of E.U. Member States.    

Since the adoption of the Safe Harbor Framework, expectations of individual privacy protections have evolved considerably, particularly in Europe.  Because of this, a concern arose among many consumer privacy groups and some governmental officials in Europe that the Safe Harbor Framework was no longer sufficiently protective.  The revelations in recent years about the broad scope of surveillance activities of personal data by the U.S. National Security Agency added to these concerns and not long thereafter the adequacy of the privacy protections provided by the Safe Harbor Framework was challenged in court.  It was that challenge that led to the October 2015 decision in the case of M. Schrems v Data Protection Commissioner, Case C-362/14, by the European Court of Justice declaring the Safe Harbor Framework to be invalid.   

The E.U.-U.S. Privacy Shield

The specifics of the E.U.-U.S. Privacy Shield have yet to be finalized. However, it is contemplated that the arrangement will include at least the following key elements:

• Enhanced obligations by U.S. companies handling Europeans' personal data, with particular focus on human resources data;
• Stepped up monitoring and enforcement of those obligations by the U.S. Department of Commerce and the Federal Trade Commission;
• Additional safeguards and transparency with regard to law enforcement access to European personal data; and
• Increased opportunities and mechanisms for redress by European for complaints of misuse of personal data.

The European Commission announced in its press release concerning the proposed E.U.-U.S. Privacy Shield  that officials from both the Commission and the U.S. Department of Commerce will work together in the coming weeks to prepare implementing details and related guidances.  Smith, Gambrell & Russell, LLP will provide further updates on this matter as more details are agreed upon between the relevant governmental authorities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.