October 28, 2015

European Union and United States Agree in Principle on New Safe Harbor Framework

A European Union representative has announced that the European Commission and the United States have reached an agreement in principle regarding an updated Safe Harbor framework to allow companies to transfer the personal data of EU citizens to the United States. This development follows closely after the October 6 decision of the European Court of Justice in Schrems v. Data Protection Commissioner, which invalidated the previous Safe Harbor framework.

On Monday, October 26, European Union Justice Commissioner Věra Jourová delivered a speech before the European Parliament in which she noted that the European Union and the United States had agreed “in principle” on a new framework to govern transatlantic data transfers. The details will be fleshed out during “intensive technical discussions” in the coming weeks, and possibly finalized when Commissioner Jourová travels to Washington, D.C. in mid-November for direct talks with Commerce Secretary Penny Pritzker.

While those details remain to be seen, Commissioner Jourová underscored the need for “effective detection and supervision mechanisms” by U.S. authorities and noted that the United States has committed to stronger oversight of the Safe Harbor program to “transform the system from a purely self-regulating one to an oversight system that is more responsive as well as pro-active and back[ed]-up by significant enforcement including sanctions.” 

In addition, Commissioner Jourová stated that the agreement with the United States would likely include an annual joint review mechanism to assess “all aspects” of the new framework, including law enforcement and national security exemptions. While noting that U.S. government surveillance was the “biggest challenge” in the Schrems decision, Commissioner Jourová emphasized that progress has been made on this front, including the passage of the USA Freedom Act, recent executive orders on intelligence operations, and the legislative effort to extend judicial protection to EU citizens under the Privacy Act of 1974. 


While this is far from a fully-fledged “Safe Harbor 2.0,” it is a significant step towards a framework to support the transatlantic data flows of the more than 4,000 U.S. companies that relied on the first Safe Harbor program to offer services to EU citizens.

While the announcement is cause for optimism among U.S. companies that are adherents, until the details are worked out many companies will continue to explore model contracts, binding corporate rules, and additional mechanisms to ensure the legality of their data processing. Moreover, large enterprises will increasingly scrutinize their vendors and suppliers. In any event, for the near future uncertainty and heightened enforcement risk seem inevitable, with data protection continuing to be an important issue for EU regulators.

About Goodwin Procter’s Privacy & Cyber Security Practice

Goodwin Procter’s Data, Privacy and Cybersecurity Practice leverages the firm’s core strengths, collaborating across the firm’s highly regarded technology, financial institutions, licensing, litigation and investigations, regulatory and appellate practices. This unique approach, focusing on client needs and value, enables us to engage specialists whose experience and leadership is framed by a holistic understanding of the nature and importance of information to modern enterprises.