Skip to content

U.S. and EU Reach New Agreement Governing Trans-Atlantic Data Transfer

After lengthy negotiations, officials in the U.S. and the European Union reached a new “safe harbor” agreement governing how personal data may be transferred between both regions. The new agreement, called the EU-US Privacy Shield — comes after the previous Safe Harbor Program was invalidated on October 6, 2015, by a ruling of the Court of Justice of the European Union (CJEU).

Background

The Safe Harbor Program, established by the European Commission (EC) in 2000, required that personal data of individuals in the EU could only be transferred outside of the EU if the company provided certain protections for such data. Under this framework, a U.S. company wishing to use the Safe Harbor would self-certify its compliance with these protection requirements and not be subject to the individual data protection laws of the EU member states. The Safe Harbor Program became the subject of controversy in 2014, after an Austrian law student (Maximillian Schrems) brought an action before the CJEU, arguing that the Safe Harbor did not actually provide “adequate” protection of EU personal data as required by the EU Data Protection Directive — especially in light of the unrestricted access to personal data by U.S. intelligence agencies. After the CJEU Advocate General issued an influential, non-binding opinion on September 23, 2015, recommending that the Safe Harbor Program be invalidated, the CJEU issued a formal opinion to the same effect on October 6 (our previous article on this decision can be found here). While the decision did not expressly prohibit the transfer of EU personal data outside of the EU, it potentially gave each EU member state the ability to determine whether the Safe Harbor provides “adequate” protection or is otherwise illegal under the data-protection laws of that member state. After the decision, companies that export personal data of individuals in the EU worried that they could no longer rely on a unified set of data transfer requirements. Some companies began preparing to undertake the complex task of complying with multiple sets of requirements.

Safe Harbor 2.0 Negotiations

After the CJEU’s October decision, officials in the U.S. and EU, including members of the U.S. Department of Commerce, the U.S. Federal Trade Commission, and the EC, renewed negotiation of the terms of a new data transfer agreement. As part of the negotiations, which took place in Brussels, U.S. officials agreed to several new data protection measures. First, U.S. officials agreed to increase oversight over how U.S. intelligence agencies access EU personal data. Second, U.S. officials agreed to appoint a data ombudsman within the U.S. Department of State, to allow a direct point of contact with EU officials in the case of suspected misuse of EU personal data. Third, a bill titled the Judicial Redress Act was proposed to create a legal remedy for EU citizens alleging data misuse by the U.S. government. Sources close to the matter stated that EU officials had some doubts that these proposals would be effective in limiting U.S. intelligence agencies’ access to EU personal data. However, the parties were able to reach an agreement on February 2, 2016, which the EC summarized briefly in a press release.

EU-US Privacy Shield

The exact terms of the new agreement, called the EU-US Privacy Shield, have not yet been released. However, the EC has stated the agreement contains three general elements. First, the Privacy Shield contains stronger data protection obligations and more robust enforcement than the Safe Harbor. Namely, companies wishing to import personal data from Europe must commit to these new obligations, which the Department of Commerce will then monitor. Companies’ published data protection commitments will be enforceable under U.S. law by the Federal Trade Commission. Second, the Privacy Shield contains safeguards and transparency obligations regarding how U.S. government agencies can access EU customer data. The U.S. made an unprecedented concession that it will implement oversight mechanisms on its own agencies’ data access, and indiscriminate mass surveillance of personal data is not allowed under the new Privacy Shield. The Privacy Shield also contemplates an annual review of the U.S. government’s adherence to these new safeguards by both the Department of Commerce and the EC.  Third and finally, the Privacy Shield contains a legal right of redress for any EU citizen that considers that their data has been misused. Complaints can be reported to various European data protection agencies, which are then forwarded to the Department of Commerce and the Federal Trade Commission. Companies implicated in such complaints will have deadlines by which to respond. The Privacy Shield also implements one of the prior negotiation points — a new ombudsperson in the U.S. will be responsible for responding to complaints implication national intelligence agencies.

What This Means for You

While this deal has been agreed to in principle, it is important to note that the deal is not final and not yet legally binding. Each of the EU’s 28 member states must now officially approve the new deal, and if this occurs, presumably, the deal’s exact terms will be publicly released. This process may take up to three months.  In addition, the new agreement must withstand scrutiny from the CJEU. Various European privacy-rights organizations are already planning to file legal challenges seeking to overturn the new Privacy Shield. This may implicate scrutiny by the CJEU in the near future. Another obstacle to the deal’s ultimate adoption may come in March or April, when Europe’s national privacy agencies are set to release a judgment regarding how EU customer data may be used outside of the EU. These privacy agencies were originally planning to issue a decision this week as to whether to begin bringing enforcement actions against companies still adhering to the now-invalid Safe Harbor. However, in light of the new agreement reached this week, these agencies have decided to take some time to review the provisions of the Privacy Shield to determine whether its provisions provide adequate protections to EU customer data. Even though these agencies have stated that they will not bring enforcement actions during this review period, they have also reserved the right to bar data transfers by companies which continue to rely exclusively on the invalid Safe Harbor.

To address the potential bar on data transfers, multi-national companies may consider carefully analyzing the individual data protection regulations of each EU member state to ensure compliance with this complex legal framework. This analysis may result in companies changing their existing data transfer practices by moving data centers to the EU (for those that can afford it) or exploring other methods of complying with EU data protection laws. For example, multi-national companies may decide to use alternatives such as binding corporate rules and model contract clauses to comply with EU data protection laws. However, both of these alternatives require a significant amount of time to implement and may not be practical for every organization.

This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.