EU-US Privacy Shield: Agreement In Principle On Framework To Replace Safe Harbour

Regular readers of this blog will be aware that, last fall, the Court of Justice of the European Union struck down the Safe Harbour framework which permitted the lawful transfer of personal information from the EU to the US through a self-certification model. Negotiations between the European and US authorities to update or replace the framework were already underway prior to this decision, but the Court's intervention raised the stakes dramatically. The Article 29 Working Party (WP29) had set a deadline of the end of January after which European Data Protection Authorities (DPAs) might begin coordinated enforcement actions against organizations continuing such data transfers based solely on Safe Harbour self-certification. (See previous posts on this subject here, here and here.) That deadline recently passed, without any agreement.

However, on February 2, 2016, the European Commission (EC) and the US Department of Commerce and Federal Trade Commission (FTC) each announced that a new framework agreement, dubbed the EU-US Privacy Shield, had been reached in principle. The agreement has apparently been recorded at the political level via an "exchange of letters", rather than a full-blown international agreement. No text of any agreement has been released, nor has any timeline for publication been announced. However, the goal is to complete the work to implement the framework within approximately 3 months (or, roughly, by the end of April).

Elements of the Framework

According to the EC announcement, the framework involves the following elements.

US companies wishing to import personal data from Europe will need to make public and, at least theoretically, enforceable commitments to certain "robust obligations" for the processing and handling of that data. Companies handling "human resources data" will be required to commit to comply with decisions by European DPAs. The US government has provided a written commitment that state-level access to personal information of EU citizens for law enforcement and national security purposes will be subject to "clear limitations, safeguards and oversight mechanisms". The EC announcement states that the US has "ruled out" indiscriminate surveillance. However, on February 1 (the day before announcing the agreement) Commissioner Jourová (who has responsibility for Justice, Consumers and Gender Equality and who has played a lead role in the negotiations) acknowledged in a briefing to the European Parliament...