Keywords: EU, US, safe harbor, privacy,

In October 2015, the Court of Justice of the European Union ("CJEU") held that transfers of personal data from Europe to the United States made under the so-called US Safe Harbor scheme were invalid as those transfers did not ensure an adequate level of protection under European data protection law.

In the aftermath of that decision, the Article 29 Working Party, the organisation that represents the data protection authorities of the European Union, set 31 January 2016 as the deadline by which the representatives of the European Union and the United States had to find solutions to address the significant risks identified by the CJEU with respect to the transfer of personal data to the United States. At the time, the Article 29 Working Party made it clear that if no appropriate solution was reached with the United States by the deadline, European data protection authorities were committed to take all necessary and appropriate actions, which might include taking coordinated enforcement action. That deadline has now expired.

On 2 February 2016, the European Commission announced that it had reached a high level agreement on a series of measures with the United States to resolve the issues identified in the CJEU's ruling. These are as follows:

  • The Safe Harbor scheme will be replaced by a scheme called "EU - US Privacy Shield" which will be administered by the US Department of Commerce. European and United States representatives will confirm the process and timing for the transition from the Safe Harbor to the EU – US Privacy Shield scheme in due course.
  • By joining the EU – US Privacy Shield scheme, an organisation will be able to import personal data from Europe into the US provided that organisation publicly commits to the manner in which and the purposes for which it will process personal data in the US and agrees to comply with enhanced requirements about the manner in which personal data will be processed by it. Existing restrictions concerning onward transmission of personal data from the US to other countries will be tightened.
  • Each organisation that certifies that it complies with the EU – US Privacy Shield scheme will have its compliance with the scheme monitored and reviewed by the US Department of Commerce. If an organisation is found to have not complied with its commitments, sanctions will be applied against that organisation by the US Federal Trade Commission and it may be removed from the EU – US Privacy Shield scheme certified list.
  • If an individual has a complaint with respect to the way in which his or her personal data has been processed by an organisation that has certified to the EU – US Privacy Shield scheme, the complaint must be considered free of charge by the organisation in question within a limited timeframe in the first instance. If that complaint is not resolved, the individual concerned may refer the complaint free of charge to his or her European data protection authority, which may decide to refer the complaint to the US Department of Commerce and Federal Trade Commission for their consideration. The US Department of Commerce and Federal Trade Commission will be required to investigate and resolve the complaint within a reasonable but limited timeframe. If the complaint is not resolved to the individual's satisfaction, the complaint can be referred to arbitration for final resolution.
  • The US Director of National Intelligence will provide a binding, written assurance to the European Union that access to personal data about European citizens for national security and law enforcement purposes will only occur to the extent it is necessary and proportionate, that it will be subject to clear limitations, safeguards and oversight mechanisms and that no indiscriminate or mass surveillance on personal data transferred to the US under the new scheme will occur.
  • The Judicial Redress Act must be passed by US Congress so that European citizens have the same rights of redress as US citizens with respect to unlawful access of their personal data by US public bodies. Any complaints about access to personal data by US national intelligence authorities that have been referred to the US by European data protection authorities will be heard by an ombudsman to be appointed in due course. The ombudsman will operate independently of the US national security authorities.
  • There will be a joint annual review of and report into the functioning and compliance with these arrangements by the European Commission and US Department of Commerce.

The European Commission anticipates that it will take three months for European and United States authorities to finalise and put in place the arrangements that have been agreed, meaning that the EU - US Privacy Shield scheme should be implemented in May 2016.

Following the announcement and its discussions with the European data protection authorities in the next few days, the European Commission intends to adopt a decision that confirms that processing of personal data in the US by organisations that are certified under EU - US Privacy Shield, once implemented, will be deemed to be adequately protected in accordance with European data protection law.

Originally published 3 February 2016

Learn more about our Business & Technology Sourcing, Cybersecurity & Data Privacy and Intellectual Property practices.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2016. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.