The October 6, 2015, decision of the Court of Justice of the European Union in the Schrems v. Facebook case left significant uncertainty surrounding the legality and practicality of U.S. technology companies' ability to process and use personal data received from the EU, in the absence of the Safe Harbor framework. Since that date, parties on both sides of the Atlantic have been waiting for clear guidance from U.S. and EU regulators on how to deal with data transfer between the EU and U.S. Pressure only mounted as the January 31st, 2016, deadline set by Europe's national data protection authorities came and passed. But today, U.S. and EU regulators announced that they have come up with a new framework for transatlantic data flows, dubbed the EU-U.S. Privacy Shield.
What do we know?
Details and the actual text of the Privacy Shield agreement between the EU and U.S. were not immediately available, but regulators on both sides have confirmed that the parties have reached an agreement in principle that will allow for the continuation of an important mechanism for transatlantic data transfers outside of binding corporate rules and model contractual clause arrangements. As of now, only a few key elements of the Privacy Shield framework have been identified:
strengthened cooperation between the FTC and EU authorities; commitments from the U.S. that access to EU data for national security and law enforcement purposes will be subject to clear conditions, limitations and oversight mechanisms; the creation of an ombudsperson within the State Department to receive and respond to concerns and complaints regarding data access by the U.S. law enforcement and intelligence agencies; strong obligations on companies handling Europeans' personal data and robust enforcement, including monitoring by the Department of Commerce; and multiple avenues for...