Safe Harbor 2.0: How The EU-U.S. 'Privacy Shield' Could Impact Your Global Operations

Norma Krayem is a Senior Policy Advisor, Christopher Cwalina is a Partner and Kaylee Cox is an Associate in Holland & Knight's Washington D.C. office

HIGHLIGHTS:

The U.S. and European Union (EU) have reached an agreement regarding international data transfers, shortly after the deadline set by both parties. The new framework, known as the EU-U.S. "Privacy Shield," is designed to improve commercial oversight and enhance privacy protections. It is estimated that it will take approximately three months to put the new Privacy Shield agreement into effect, though a precise implementation timeline has not yet been established. The U.S. and European Union (EU) reached an agreement regarding international data transfers, shortly after the deadline set by both parties. The parties had been in negotiations since the Court of Justice of the European Union's (CJEU) invalidation of the former EU-U.S. Safe Harbor Framework in October 2015. The new framework, known as the EU-U.S. "Privacy Shield," is designed to improve commercial oversight and enhance privacy protections. EU Commissioner Vera Jourová stated that the European Commission has permitted the preparation of the "adequacy" agreement that would declare that the new framework meets the requirements under EU law for protecting the privacy and data security of European citizens.

Privacy Shield Provisions

Although the Privacy Shield was approved by the College of Commissioners, it must still earn the approval of another EU Committee, comprised of representatives of the Member States. As the agreement currently stands, it requires the U.S. Department of Commerce (DOC) to actually monitor - and the Federal Trade Commission (FTC) to actually enforce - that companies' data practices comply with the agreement. The DOC said it will be dedicating a special team with significant new resources to oversee compliance with the Privacy Shield. The U.S. and the EU will review the international structure annually.

The Director of National Intelligence (DNI) has also provided written assurances to the EU that the U.S. government will use EU personal data only for purposes that are "necessary and proportionate," and the U.S. Intelligence Community has demonstrated to the European Commission the multiple layers of constitutional, statutory and policy safeguards that apply to its operations, with active oversight provided by all three branches of the U.S. government. The agreement also includes a specific mechanism by...