On Tuesday 2 February 2016, the EU Commission and US Department of Commence announced that they had reached "political agreement" on a new privacy framework for transfers of personal data between Europe and the United States.
The new framework - the "EU-US Privacy Shield" - will replace Safe Harbor, which was invalidated by the Court of Justice of the European Union (CJEU) in October 2015 in the Schrems decision amid allegations of mass surveillance.
The details of Privacy Shield are not yet publicly available. The European Data Protection Authorities (DPAs) will also want to pour over the details of the new framework before giving their approval. As a result, uncertainty regarding transatlantic data transfers is likely to remain for a few more months. Still, this week's announcement is an important development in the future of EU-US data transfers.
The Privacy Shield Framework
In announcing Privacy Shield, the EU Commission stated that it "will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses" and that it reflects the CJEU's recommendations from Schrems. The US Department of Commerce also released a factsheet stating that the Privacy Shield will "significantly improve commercial oversight and enhance privacy protections".
Here are the key components of the new deal:
Monitoring and Enforcement: US companies that import personal data from the EU will have to commit (and publish) "robust" obligations on how personal data is processed. The Department of Commerce will ensure that companies publish their commitments, and the FTC will ultimately enforce compliance with them (similar to Safe Harbor). In addition, the new framework contains the following important developments: US organisations will be subject to the decisions of European DPAs in their handling of human resources data from Europe. Increased enforcement action seems likely because of the political focus on the issue and the additional dedicated resources established in the Department of Commerce to oversee compliance. New contractual privacy protections and oversights will also be introduced for US organisations engaging third parties or agents processing data on their behalf. US government access: The new deal contains assurances from the US that there are limitations and safeguards on US mass surveillance. Privacy advocates in particular, however, worry that exceptions...