The United States and the European Commission reached a tentative agreement on a new framework for the transfer of personal data This issue impacts all U.S. businesses that transfer personal data between the EU and the United States The new framework is called "EU-U.S. Privacy Shield" and replaces the U.S.-EU Safe Harbor The text of the tentative agreement is not yet available The Privacy Shield must still be approved by the Article 29 Working Party Redress to EU citizens against U.S. companies is a prominent feature of the Privacy Shield Updates from the EU are expected this week The Standard Contractual Clauses and the Binding Corporate Rules are still the only EU approved methods of data transfers at this time Based on statements by the Article 29 Working Party today, Companies relying solely on the Safe Harbor as a means of complying with the EU Data Directive remain exposed in the same way they were before this tentative agreement On February 2, the United States and the European Commission reached tentative agreement on a new framework for the transfer of personal data between the European Union and the United States called the EU-U.S. Privacy Shield. The new framework replaces the U.S.-EU Safe Harbor framework, which was invalidated by the Court of Justice of the EU (Court of Justice) in October 2015, resulting in EU Data Protection Directive compliance questions for U.S. businesses that transfer personal data between the EU and the United States.
EU Justice Commissioner Vera Jourova stated that she is confident that the new framework will withstand review by the Court of Justice because it provides "clear safeguards and transparent obligations on U.S. access to data" and the Court of Justice's ruling was used as a requirements roadmap during the negotiations. Although the text of the Privacy Shield has not yet been released, some of the requirements were identified by the U.S. Department of Commerce and the European Commission. The tentative agreement on the Privacy Shield is currently pending review and approval by the Article 29 Working Party, composed of representatives from the national data protection authorities of the 28 EU member states. The Privacy Shield will require:
A published commitment from companies who agree to the Privacy Shield to adopt robust obligations on how personal data is collected and processed, and how individual rights are guaranteed to be monitored by the U.S. Department of...