Breaking News: US-EU Announce New Data Transfer Framework, the “EU-US Privacy Shield”

Posted: February 02, 2016

As announced on February 2, the European Commission and the United States reached an agreement on a new framework that will regulate cross-border data transfers. The new scheme – the EU-US Privacy Shield – is the result of intensive negotiations over the past few years. These negotiations took on an even higher level of urgency following the European Court of Justice’s court ruling in October 2015 that invalidated the long-standing EU-US Safe Harbor framework. It’s important to note that this agreement is not yet legally binding. Negotiations largely focused on reform of surveillance activities conducted by the US. In particular, the US committed to conducting public surveillance for law enforcement and national security purposes on European citizens in accordance with clear guidelines and oversight. Concerned Europeans will also have a formalized complaint mechanism. Commissioner Jourová remarked in her statements that this was a “unique step the US has made to restore trust in our transatlantic relations.” The European Commission’s press release outlined several elements that comprise the new framework:

• Strong and robust obligations on how US companies must process personal data and guarantee individual rights. Enforcement will continue to be overseen by the Federal Trade Commission (FTC).
• Clear safeguards and transparency obligations in relation to US government access for law enforcement and national security. The European Commission and US Department of Commerce will conduct an annual joint review of these activities.
• Effective protection of EU citizens’ rights with additional redress possibilities including requirements and deadlines for companies to respond to complaints. European Data Protection Authorities (DPAs) may refer complaints to the Department of Commerce and FTC.

In the coming weeks, the European Commission will prepare and announce a draft “adequacy decision” with consultation from the Article 29 Working Party and a committee composed of Member State representatives. The proposed decision would then be considered by the College of Commissioners. In the US, the FTC and Department of Commerce are also working to prepare and formalize the new framework and monitoring mechanisms. Although this announcement may bring a sigh of relief for the thousands of organizations that relied on the Safe Harbor Framework to transfer consumer and employee data between the US and EU, uncertainties remain as to the reception this agreement may receive by the DPAs. Further, some critics have already vocalized their dismay at the terms of the deal claiming that it may not meet the ECJ’s ruling. Impacted parties should continue to monitor the progress of this new agreement over the course of the next several weeks.