Following speculation that protracted negotiations had been in vain, an agreement on Safe Harbor has apparently been reached. Dubbed the "EU-U.S. Privacy Shield", the regime will, subject to approval processes, replace the existing Safe Harbor arrangement which was invalidated by the Court of Justice of the European Union on 6 October 2015 in Maximillian Schrems v Data Protection Commissioner (Case C-362/14). The CJEU's decision cited concerns that Safe Harbor would be disregarded where national security, public interest and law enforcement requirements of the United States came into play, and that EU citizens lacked the ability to seek effective redress.
The news comes as a surprise following the passing of the 31 January deadline, and amendments to the Judicial Redress Act which prompted many to speculate that negotiations would be pushed into further disarray. The finer details of the agreement are as of yet unknown; however, some are already raising questions that cast doubt on its value to businesses.
Stating that the new framework will "protect fundamental rights" and "ensure legal certainty for businesses", an EU Commission press release gives some vague details of the agreement. The new framework will include:
Strong obligations on companies handling Europeans' personal data and robust enforcement. Companies will be monitored by the Department of Commerce to ensure that they publish their commitments. This will in turn make them enforceable under U.S. law by the Federal Trade Commission (FTC). Clear safeguards and transparency on U.S. government access. This will include an annual joint review of the arrangement to be carried out by the U.S. Department of Commerce and the European Commission. Effective protection of EU citizens' rights with several redress possibilities. These include the ability for DPAs to refer complaints to the Department of Commerce and the FTC, and a new Ombudsperson to adjudicate on complaints of possible access by national intelligence authorities. Criticism of proposals
In a series of tweets put out after the announcement, Jan Philipp Albrecht, MEP for Germany and a prominent figure in the EU Data Protection field, brandished the agreement "a joke", accused the EU Commission of selling out fundamental rights, and stated that it "puts itself at risk to be lectured by the CJEU again."
Despite these criticisms, early indications are that the Privacy Shield goes some way to achieving the...