Alert February 03, 2016

European Commission and United States Agree to New Framework for Transatlantic Data Flows

Summary

The European Commission and the United States reached an agreement on a new framework for transatlantic data flows. The new EU-US Privacy Shield will replace the Safe Harbor framework that was invalidated by the European Court of Justice in October. While the agreement has yet to be drafted, the framework is a positive step toward clarifying the legal requirements for data transfers between the United States and the EU.

On Feb. 2, the European Commission and the United States announced an agreement on a new framework for transatlantic data flows. The EU-US Privacy Shield will replace the Safe Harbor framework that was invalidated by the October 6 Schrems decision by the European Court of Justice.

Details of the framework remain to be drafted, but the Privacy Shield aims to address the concerns about the adequacy of U.S. protection of EU personal data raised by the Schrems decision by: (i) imposing stronger obligations on U.S. companies handling Europeans’ personal data; (ii) providing transparency in U.S. government access, and (iii) requiring stronger monitoring and enforcement by U.S. regulators.

The formal draft of the new framework will be prepared and released in the coming weeks, but three elements of the agreement were outlined in the press release announcing the agreement:

  • Obligations on companies handling Europeans’ personal data: U.S. companies wishing to import personal data from Europe will face stronger obligations to protect the personal data and individual rights of Europeans and enhanced enforcement and monitoring by the Department of Commerce and the Federal Trade Commission.
  • Safeguards and transparency on U.S. government access: According to the release, the U.S. has given the EU written assurances that there will be limitations on access of data by public authorities for national security and law enforcement purposes.  In addition, the United States has stated that there will not be mass surveillance on personal data transferred to the United States under the new arrangement.  There will be an annual joint review to monitor the functioning of the arrangement, which includes the issue of access for national security reasons.
  • Redress opportunities for EU citizens: Under the Privacy Shield, any citizen who believes that their data has been misused will have several opportunities for redress. Companies processing personal data will be required to reply to complaints within set deadlines, and European Data Protection Authorities will be able to refer complaints to the U.S. Department of Commerce and the Federal Trade Commission. These remedies include free alternative dispute resolution and arbitration as a matter of last resort for EU citizens.

At the press conference announcing  the agreement, EU Commissioner Jourová expressed hope that the Privacy Shield  will be implemented within the next three months. The European Commission will be working to complete the draft agreement, after consultation with the member states and the working party, while the United States will be putting in place the appropriate compliance structure for the Privacy Shield.

While the announcement of the framework is a positive step toward clarifying the legal requirements for data transfers between the United States and the EU, the Privacy Shield may still face legal hurdles as concerns persist about guaranteeing the rights of European citizens.

It remains unclear how U.S. companies should proceed following yesterday’s announcement, as the Privacy Shield still faces many hurdles before it can be implemented. Tuesday’s announcement did not provide guidance to the roughly 4,500 companies previously certified under the Safe Harbor framework or the countless other U.S. companies seeking to transfer data from Europe.

Goodwin Procter’s privacy and cybersecurity team will continue to monitor the developments and provide updates as they become available.

About Goodwin Procter’s Privacy & Cyber Security Practice

Goodwin Procter’s Privacy & Cybersecurity Practice, established formally in 2004, leverages the firm’s core strengths, collaborating across the firm’s highly regarded technology, financial institutions, licensing, litigation and investigations, regulatory and appellate practices. This unique approach, focusing on client needs and value, enables us to engage specialists whose experience and leadership is framed by a holistic understanding of the nature and importance of information to modern enterprises.

For more information about this update, or for other assistance regarding privacy and data security matters, please contact Brenda Sharton (Co-Chair, Privacy & Cybersecurity), Lynne Barr (Co-Chair, Privacy & Cybersecurity), Jacqueline Klosek or any member of the Goodwin Privacy & Cybersecurity practice.