The European Commission (EC) and the U.S. Department of Commerce have reached an agreement to create a framework for transfers of personal data from the European Union to the United States. The framework, named the EU-U.S. Privacy Shield, will replace the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union in October 2015.

The Privacy Shield, announced February 2, 2016, will be composed of four key components:

  • Strong obligations on companies handling Europeans' personal data and robust enforcement: Companies that commit to the Privacy Shield must commit to ''robust obligations'' on personal data collection and processing and guarantee individual rights. These commitments will be published and enforced by the Federal Trade Commission (FTC). Companies handling human resources data from the EU must also commit to complying with decisions by EU Data Protection Authorities (DPAs).

  • Clear safeguards and transparency obligations on U.S. government access: The United States has given the EU written assurances that access by law enforcement and national security officials to personal data will be subject to clear limitations, safeguards, and oversight mechanisms. Any access to data must be necessary and proportionate to the need for such access. The United States has agreed not to conduct indiscriminate mass surveillance on the personal data transferred to the country.

  • Annual joint review: The EC and the Commerce Department will conduct an annual review in order to monitor the functioning of the Privacy Shield. The review will include the issue of national security access.

  • Effective protection of EU citizens' rights with several redress possibilities: Citizens who believe their data has been misused will have several redress possibilities, including alternative dispute resolution without charge. Companies will have deadlines to reply to any complaints, and European DPAs can refer complaints to the U.S. Commerce Department and the FTC. To address any complaints of access by national intelligence authorities, the United States will create a new ombudsperson position.

    Statement of the Article 29 Working Party on the Consequences of the Schrems Judgment

    Following the announcement of the Privacy Shield, the Article 29 Working Party (WP29), an entity entrusted with promoting uniform application of the Data Protection Directive throughout the European Economic Area and giving the EC an opinion on community laws  affecting the right to protection of personal data, released a statement on February 3, 2016, regarding the Privacy Shield and the transfer of personal data following the Schrems decision. The WP29 emphasized that there must be four essential guarantees for intelligence activities that are respected whenever personal data is transferred from the EU to the United States and to other countries:

    • Processing should be based on clear, precise, and accessible rules. Anyone who is reasonably informed should be able to foresee what might happen with personal data once it is transferred.

    • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated. There must be a balance between the objective for which data is collected and accessed (generally national security) and the rights of the individual.

    • An effective, impartial, and independent oversight mechanism should exist. The mechanism can be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks.

    • Effective remedies need to be available to the individual. Anyone should have the right to defend his or her rights before an independent body. 

      The WP29 stated that it will analyze the Privacy Shield to ensure it meets with these guarantees. The WP29 noted that it still has concerns about the U.S. legal framework, despite the progress the United States has made since 2014. It will also evaluate how current mechanisms for data transfers to the United States—Model Contractual Clauses and Binding Corporate Rules—offer appropriate guarantees.

      Long Road Ahead

      Despite the wide publicity the announcement of the Privacy Shield received, there is still a long way to go before it becomes enforceable. In the coming weeks, the EC will draft an adequacy decision and will then send the decision, along with supporting materials, to the WP29 for consideration. The College of EU Commissioners will then need to adopt it, taking into consideration the opinion of the WP29 and consulting with a committee composed of representatives of the member states. It is likely that this process will take at least several months. In addition, certain steps are still expected to be completed on the part of the United States, including the passing of the Judicial Redress Act and the appointment of the ombudsperson.

      Even if finalized, the Privacy Shield will likely meet with legal challenges. Notably, Max Schrems has already stated that, depending on the final language of the Privacy Shield, he may bring such a challenge before the court. In addition, after January 31, the unofficial deadline imposed for reaching an alternative solution to the data transfers had passed, the data protection authorities of the EU member states may commence enforcement against companies that are still relying on the invalidated Safe Harbor for their transfers.

      Companies who need to transfer personal data from the EU to the United States should continue to assess their transfers with a view to minimizing the scope of the transfer and finding appropriate transfer mechanisms.

      Attorneys in Ballard Spahr’s Privacy and Data Security Group have extensive experience guiding companies in the reliable and efficient transfer of data cross-border transfer of personal data between the EU and United States.

      Copyright © 2016 by Ballard Spahr LLP.
      (No claim to original U.S. government material.)

      All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

      This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.