'EU-U.S. Privacy Shield' To Replace 'Safe Harbor'

Author:Mr Mauricio Paez, Undine von Diemar, Jonathon Little, Elizabeth Robertson, Paloma Bru, Olivier Haas and Laurent De Muyter
Profession:Jones Day

Political agreement on a new framework for transatlantic data transfers reached

On February 2, 2016, European Union ("EU") and U.S. regulators reached a political agreement on a new "Safe Harbor 2.0" that could provide thousands of companies with a legal basis for transatlantic data transfers.

The framework—referred to as the "EU-U.S. Privacy Shield"—is the result of lengthy negotiations between EU and U.S. policymakers aimed at developing an alternative to the now defunct Safe Harbor program ("Safe Harbor"). Safe Harbor was implemented by agreement between the U.S. government and the EU Commission in 2000, and since its inception, more than 4,000 U.S. companies participated in order to receive personal data from the EU.

However, on October 6, 2015, the European Court of Justice ("ECJ") invalidated the EU Commission decision underlying the 15-year old transatlantic agreement, concluding that it failed to provide an adequate level of protection to personal data transferred from the EU to the U.S., as required by the EU Data Protection Directive 95/46/EC.1 The ECJ's decision stemmed, in large part, from concerns over the U.S. government's ability to access transferred personal data as well as the lack of judicial redress afforded to EU citizens to defend their fundamental privacy rights.

According to the EU Commission's press release, the EU-U.S. Privacy Shield is designed to be more robust than its predecessor and offer stronger safeguards to rectify the inadequacies of the Safe Harbor program identified by the ECJ. The proposed arrangement includes, among other things, stronger obligations on U.S. companies handling EU personal data, more robust enforcement mechanisms, redress possibilities for EU citizens, and a focus on transparency and oversight mechanisms to limit U.S. government access to EU personal data.

As part of the agreement, EU citizens are granted multiple avenues to address concerns regarding the processing of their personal data. Participating companies will be required to directly address any questions or complaints raised by EU citizens, and to implement deadlines by which to respond to individual complaints. Additionally, EU citizens will be able to refer complaints to European Data Protection Authorities ("DPAs"), which will work with the U.S. Department of Commerce and Federal Trade Commission to ensure that individual complaints are resolved and that companies are complying with their published commitments. In the event...

To continue reading