Safe Harbor 2.0 Arrives as EU-U.S. Privacy Shield; Approvals Still Necessary
European Commission (EC) and U.S. Department of Commerce (DOC) negotiators have reached a deal to implement a new U.S.-EU Safe Harbor Framework: the EU-U.S. Privacy Shield (what had informally been called "Safe Harbor 2.0"). This deal was fervently sought after the European Court of Justice's (ECJ) decision in Schrems v. Data Protection Commission, Case C-362/14 (Oct. 6, 2015) (see our posts here and here), which deemed the previous Safe Harbor Framework inadequate and concluded that Data Protection Authorities (
Key points of discussion in the closing days included the availability of redress for EU citizens in U.S. courts and other governmental bodies, and vice versa. Legislation currently making its way through Congress would explicitly give European citizens the right to seek redress in U.S. courts. Negotiators also debated the authority of
- Companies handling employee data must commit to comply with Europe and
- U.S. law enforcement and national security access to EU citizens' personal data will be the exception, and "must be used only to the extent necessary and proportionate"; annual joint review of this arrangement will be held.
- European citizens will have redress for alleged misuse of their data through new obligations of companies to respond to complaints and through no-charge alternative dispute resolution, among other routes.
The new Privacy Shield will allow companies to continue to transfer data between the U.S. and the EU, benefitting both companies who operate predominantly online (such as social media platforms and search engines) and traditional companies, many of which are concerned mostly with transferring employee or customer data around the world. Beneficiaries should include not only many multinational companies in sectors ranging from the chemical industry to consumer product companies to brick-and-mortar
Several steps remain before the Privacy Shield is formally adopted. The College of Commissioners directed Vice-President Andrus Ansip and Commissioner Věra Jourová to prepare a "necessary adequacy decision" in coming weeks, for approval by the College. That process contemplates obtaining input from the Article 29 Working Party and a committee of Member States' representatives. Separately, the U.S. will be setting up the mechanisms for the framework, monitoring mechanisms, and new Ombudsman. The timing of the deal is no surprise, since a committee of EU
The negotiating team on the U.S. side was comprised of representatives from DOC (including the general counsel), the FTC, and members of the intelligence community. On the European side, negotiators included representatives from the EC and
Assurances from DOC representatives indicated that the 4,400+ companies already transferring data as Safe Harbor-
This deal, though welcome, is emblematic of a new, post-Snowden phase in the realm of international privacy and data transfers. Opposition to broad surveillance of mass citizenry has grown among the public in Europe and the U.S., with significant animus and distrust directed at the U.S. intelligence community in particular. In Europe, this has translated into a distrust of American companies at a time when European businesses are fighting global dominance by U.S. tech, search, and social media firms. An approved deal is only the start of a restoration of that trust, and there are still many steps that must be taken before final approval and implementation. Companies operating on both sides of the Atlantic and around the world should view the EU-U.S. Privacy Shield as a signal that regulators recognize the importance of global data flows to a strong economy, and the need to balance privacy rights with national security interests and practical business realities.
Keep up to date on privacy, data security, and related consumer protection issues by following us on the Consumer Protection Connection. For more information on the new Privacy Shield and related privacy matters, contact Sheila A. Millar (email@example.com, +1 202.434.4143) or Tracy P. Marshall (firstname.lastname@example.org, +1 202.434.4234).