US companies will need to take action to comply with any new agreement
As we explained in detail in our Explanatory note of October 6 2015, and the webinar that followed held on October 9, the Schrems decision of the Court of Justice of the EU (CJEU) invalidated the US Safe Harbor program, and as a result of that most transfers of European personal data to the US done under that scheme became potentially illegal, if not covered by other legal options as described below.
Subsequently, Europe’s national Data Protection Authorities (DPAs), through the so called Article 29 Working Group, declared their intention not to bring enforcement actions against such EU – US data transfers before February 1, in order to give the US and EU time to reach a new agreement that could meet the objections raised by the CJEU.
In the meantime, we have been assisting a number of companies who decided to pursue alternate methods of compliance (model contract clauses and binding corporate rules). However, other companies decided to wait to see the results of negotiation, hoping that they would be able to comply with a new revised Safe Harbor agreement.
Fortunately, senior government officials on both sides of the Atlantic have suggested that this is the week for a new agreement to be announced. Any such agreement will have to provide additional transparency regarding US Government access to personal information under a national security rationale. It also will have to provide additional avenues of redress for Europeans whose data may have been inappropriately collected or used. We also expect that there will be a transition period for US companies previously relying on the Safe Harbor program to benefit from the coverage of the new arrangement.
Of course, any agreement will not be self executing. It will have to be approved and implemented by US, EU and by European national government authorities. But we expect this to happen. Similarly, we expect there to be legal challenges to any new arrangement before selected DPAs, which will end at some moment before the CJEU. But these proceedings will take some time and compliance with Safe Harbor 2.0 may be the easiest, cheapest and fastest way to preserve data flows unless and until the new agreement is eventually invalidated.