On February 2, 2016, the European Commission announced that it reached a deal to replace the EU-US Safe Harbour framework that was declared invalid last year by the Court of Justice of the European Union (CJEU). Referred to as the "EU-US Privacy Shield", the new framework should provide businesses with guidance for the safe transfer of personal information of citizens of the European Union (EU) to the United States.
The CJEU declared the old Safe Harbour framework invalid on October 6, 2015. Under the EU Data Protection Directive, the personal information of EU citizens can only be transferred from the EU to countries with adequate data protection standards. The old Safe Harbour agreement, negotiated between the European Commission and the United States Department of Commerce, was one of a number of mechanisms available to EU businesses to ensure there was an adequate level of protection when transferring personal data of EU citizens to the United States. One of the CJEU's primary concerns with the old framework was the massive and indiscriminate surveillance of personal information of EU citizens in the United States, which was viewed as incompatible with the "fundamental rights" of EU citizens.
Regulators provided a grace period ending January 31, 2016 for the negotiation of a new agreement, during which European Data Protection Agencies would not pursue penalties against businesses improperly transferring personal information of EU citizens from the EU to the United States.
Features of the New Framework
While the terms of the new agreement have not been settled, the European Commission released some details of the EU-US Privacy Shield.
Obligations on businesses in the United States with respect to personal information of EU citizens and enforcement mechanisms: Similar to the original Safe Harbour, businesses in the United States will need to commit to obligations regarding how personal information will be processed and how individual rights will be guaranteed. The Department of Commerce will ensure...