by Mary Kate Bonner and Andrew Baer
The United States and European Union finalized negotiations on Tuesday, February 2 for a framework to replace the Safe Harbor framework, held invalid by the European Court of Justice (ECJ) last October. (See press release from European Commission here.) Companies in the United States previously could self-certify compliance with the Safe Harbor principles, allowing companies operating in the EU the assurance of adequate protection needed to transfer personal data across the Atlantic. The ECJ had held that Safe Harbor did not ensure adequate protection of the fundamental rights and freedoms of European residents in the U.S. because intelligence activities by the NSA and other government authorities allegedly included indiscriminate surveillance and interception of personal data, beyond that which is strictly necessary, and not proportionate to the protection of national security. Also, EU residents were left with no administrative or judicial remedy to address, correct, or erase their data. Since October, companies could no longer rely on Safe Harbor certification for transfers of personal data from the EU.
On February 2, European Union Vice-President Ansip and Commissioner Jourová announced the new EU-U.S. Privacy Shield. There is still a good amount of work left before the framework can take effect, both in the EU and the U.S. The EU Commission first needs to finalize documents related to the Privacy Shield. Data Protection Authorities in each of the EU countries and the EU Data Protection Supervisor will review the documents and make their recommendation, together as the EU Article 29 Working Party. Then the Commission will need to vote. Approval for the new framework is not expected any earlier than the end of April. With many officials in the EU and in EU countries concerned about the new framework, approval is not guaranteed.
In the next couple of months, the U.S. Department of Commerce will work with the Federal Trade Commission to develop new standards for companies in the United States and put in place compliance monitoring mechanisms. See Commerce Department Fact Sheet here and Statement here, FTC Statement here. Companies will be able to self-certify their compliance with Privacy Shield. Those companies who previously self-certified as compliant with Safe Harbor will be given a transition period. There will be stronger requirements and enforcement on companies in the U.S. handling personal data from the EU, such as strict deadlines for companies to respond to requests coming from European residents. Most details are still to come. The State Department will appoint a new Ombudsperson to handle complaints from EU residents about access to personal data by national intelligence authorities. Finally, the Judicial Redress Act should be enacted soon, which will allow EU citizens to have access to the U.S. courts for redress concerning use of their personal data for law enforcement purposes.
For companies in the U.S. today, the Article 29 Working Party stated (here) that, for now, existing mechanisms in place for transferring data from the EU may continue to be used. Once Privacy Shield documents are provided to them, the Working Party will evaluate all transfer methods and decide whether they can continue to be used. Until then, companies in the U.S. can still rely on Standard Contractual Clauses (also known as Model Clauses), Binding Corporate Rules (for international companies), and explicit consent of the data subject for data transfers, although there is a high threshold for valid consent (and so this should only be used with caution).
Many technology companies have been operating in a state of limbo for months since the ECJ decision last October. While the EU-U.S. Privacy Shield demonstrates some movement forward, the road ahead is likely to have a number of detours and unknown obstacles. Companies in the U.S. that handle data from the EU should continue to tread carefully and make no assumptions just yet. This may be a good time for companies to review their technical security and organizational measures for safeguarding personal data so they can implement any needed changes to comply with obligations for the new framework as soon as it is released.
For any questions on how this may impact your business, you can contact Mary Kate Bonner (email@example.com) or Andrew Baer (Andrew@baercrossey.com). Baer Crossey McDemus will also present a free webinar soon, so stay tuned for more information.