Article by Kolvin Stone, Christian Schröder, James Drury-Smith, Paul Hansford, Emily Tabatabai, Aravind Swaminathan and Antony P. Kim
The European Commission has announced that it has reached a deal to replace the EU-US Safe Harbor framework that was declared invalid last year by the Court of Justice of the European Union ("ECJ"). Heralded as the EU-US Privacy Shield (and colloquially referred to as, "Safe Harbor 2.0"), the framework should provide companies with clearer direction on safe transatlantic data transfer.
Although it has been approved on both sides of the Atlantic by the Commission and the US Department of Commerce, organizations should remain cautious for the time being, as steps now need to be taken to formally implement it. The main features of the framework are as follows:
Obligations on companies handling Europeans' personal data and robust enforcement: In a similar vein to the original Safe Harbor, companies in the US will need to commit to EU-style obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will ensure that companies publish their commitments and the Federal Trade Commission will be empowered to enforce these commitments.
Safeguards and transparency obligations on US government access: The US has given written assurances that data transferred to the US will not be subject to government mass surveillance programs, and that access to data by public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. To monitor the functioning of the arrangement, the Commission and the Department of Commerce will conduct an annual joint review.
Protection of EU citizens' rights with several redress possibilities: Companies operating under the new framework will have deadlines to reply to complaints. European Data Protection Authorities can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, any alternative dispute resolution offered under the new framework will be free of charge. For complaints relating to possible access by national intelligence authorities, Europeans can raise an enquiry or complaint with a new dedicated US Ombudsperson.
Next Steps: This story is far from over.The Commission must still prepare an adequacy decision, the legal document which approves the so-called EU-US Privacy Shield as a valid data transfer mechanism under...