Beginning in 2000 until October 6, 2015, the EU Data Protection Directive allowed for the transfer of personal data from European businesses to the U.S. under the Safe Harbor provisions negotiated between the European Commission and the U.S. Department of Commerce (DOC). That process, however, was declared invalid and the Safe Harbor process struck by the Court of Justice of the European Union (CJEU) in a ruling made last October. The CJEU held that the EU-U.S. Safe Harbor was invalid because it did not stop the U.S. government from collecting personal data belonging to EU citizens, thereby failing to meet the “level of protection of fundamental right and freedom that is essentially equivalent to that guaranteed within the European Union.” Since October 2015, as a result, no rules have been in place leaving businesses in a state of flux and uncertainty.
Today EU regulators and the U.S. agreed to a new arrangement labeled the “EU-US Privacy Shield” which will reflect the CJEU’s opinion and provide for stronger obligations on the part of U.S. companies to protect the personal data of Europeans. Elements of the new plan include: (i) more robust obligations on the part of U.S. companies on how EU individuals’ personal data is processed - individual rights are guaranteed as overseen and will be more strongly monitored by the DOC and enforceable under U.S. law by the Federal Trade Commission (FTC); (ii) written assurances by the U.S. that public authorities/law enforcement will be subject to clear limitations, safeguards and oversight, monitored by an annual joint review by the European Commission and the DOC, with input of national intelligence experts from both the EU and the U.S.; and (iii) established paths for redress if an EU citizen believes his/her data has been issued, including reply to complaints by companies, referral to the DOC and FTC, free alternative dispute resolution, and, for complaints by national intelligence authorities, a new Ombudsperson will be created.
As a next step following today’s agreement, an “adequacy decision” will be prepared for adoption by the EU Commission. The U.S. will begin preparations to put in place the new framework, monitoring mechanisms and the Ombudsman.
TAKEAWAYS
* Companies that transfer personal data should continue to keep a close eye on developments, including the details of implementation and enforcement of the Privacy Shield in the U.S.
* Although business owners, and in particular tech-related entities whose services necessitate that personal information transcends borders, may breathe a sigh of relief given that an immediate need for establishing European-based servers was averted, a level of uncertainty and the possibility of increased compliance-related costs remains. The regulatory implementation of the Privacy Shield in the U.S. is not yet clear and will certainly be more cumbersome than under the previous Safe Harbor, with stiffer penalties for violations.
* New storms may lie ahead, with the possibility of court challenges to the new Privacy Shield framework.