Two days after the expiration of the informal deadline to replace the Safe Harbor Framework invalidated by the Court of Justice of the European Union in October 2015, the EU and US have come to terms on a new framework—the “EU-US Privacy Shield.”  European Commissioner Vera Jourova has stated that the new EU-US Privacy Shield would be compatible with the forthcoming General Data Protection Regulation and could be available as a data transfer mechanism as early as May 2016, but historically, other European Commission decisions have taken well over a year.

The EU-US Privacy Shield aims to usher in a new transatlantic détente on data protection and privacy issues and a new regime for the lawful transfer of personal data from Europe to the United States.  Not much is publicly known about the details of this new EU-US Privacy Shield, but we do know the following from a European Commission Press Release:

• New US Ombudsperson—The US will establish a new Ombudsperson to address complaints relating to US intelligence authorities’ access to personal data concerning EU individuals.
• Limitation on US National Security Practices—The US has made binding commitments that US access to EU individuals’ data for national security purposes will have “clear limitations, safeguards and oversight mechanisms” limiting the access to what is “necessary and proportionate.”  The US has also agreed to an annual review of these commitments.
• Enforcement—The US Department of Commerce will monitor companies to ensure that they publish their privacy commitments, which then become enforceable by the Federal Trade Commission (FTC), similar to the previous Safe Harbor Framework.
• Free Alternative Dispute Resolution—EU individuals will have access to free alternative dispute resolution mechanisms.
• Time Sensitive Complaints—Any complaints sent by EU individuals to an EU-US Privacy Shield participating company must be addressed within a specific time frame by the recipient company.
• EU Referrals—European regulators will have a formal channel to refer complaints to the US Department of Commerce and the FTC.
• “Robust” Obligations—US companies participating in the new EU-US Privacy Shield will need to commit to “robust” obligations, including submission to European jurisdiction when transferring employee data.

In the coming weeks, there is work to be done on both sides of the Atlantic in order to put in place the EU-US Privacy Shield.  The Article 29 Working Party, which has a plenary session today and tomorrow, will be briefed on the details of the agreement.  The European Commission will draft a new adequacy decision to give the EU-US Privacy Shield legal effect under European law, and the US will be responsible for taking steps to put this new framework in place, including enhanced monitoring mechanisms and the appointment of a new Ombudsperson.

Questions remain as to the exact requirements of this new EU-US Privacy Shield and whether it will be able to survive scrutiny from EU and US stakeholders during this transition period and, once in force, any challenge submitted to the Court of Justice of the European Union. 

It is also unclear what binding assurances the US has made.  Congress recently failed to pass the Judicial Redress Act, intended to amend the Privacy Act of 1974 to give EU individuals the same right of redress US citizens have in US courts against the US government.  European Parliamentarian and former vice president to the European Commission, Viviane Reding, has called the deal disappointing and expressed serious doubts as to its viability—saying that the US commitments thus far are only backed up by a letter from US authorities. 

In the coming days, additional information on this new framework is expected from both the FTC and European regulators.  In particular, clarification as to how European regulators plan to enforce data transfer compliance before the EU-US Privacy Shield takes effect is eagerly anticipated, since this information will inform the steps companies take to comply with EU laws in the meantime.  Stay tuned.

© 2016 Perkins Coie LLP