The New EU-US Privacy Shield: a New Deal on Personal Data Transfers

By Bruce J. Heiman, Michael J. O’Neil, Ignasi Guardans, Etienne Drouard

On February 2, two days after the deadline set by Europe for agreement on a new Safe Harbor governing US access to the personal data of European citizens, US and EU negotiators announced that they had agreed upon a framework for a new data sharing agreement, which will be called the EU-US Privacy Shield, to replace the Safe Harbor agreement struck down by the European Court of Justice on October 6, 2015.

US companies adhering to the EU-US Privacy Shield, which has yet to be formally adopted by both the EU Commission and the US Department of Commerce, will be able to receive, store and use personal data from Europe according to its terms.

The key elements of the EU-US Privacy Shield, which aims to assure that US protections of European personal data will be essentially equivalent to that provided in Europe, will be:

  • Stronger obligations for US companies to process European data and the obligation for US companies to comply with decisions of European Data Protection Authorities.
  • US government monitoring of US company compliance, including a EU-US annual joint review of the agreement.
  • US government enforcement by the Federal Trade Commission.
  • Detailed US government commitments concerning limitations that will apply to US law enforcement and intelligence access to the European data, including a commitment that it will not be subjected to indiscriminate mass surveillance, to be overseen by a US Ombudsman appointed for this purpose with full powers to review and respond to complaints from EU citizen.
  • EU citizen rights to file complaints with the US Department of Commerce and the FTC, backed up by the right to an alternative dispute resolution mechanism.

Key guarantees undergirding the framework are set out in letters from the US to the European Commission signed by the White House and the US Director of National Intelligence. Those letters have not yet been made public.

While explicitly not required as an immediate condition of the agreement, the EU clearly hopes that the Judicial Redress legislation now under consideration in the Senate will pass soon.

Further Regulatory Steps

What will follow this announcement will be the development of a draft for adoption by the parties and, in Europe, its presentation to the EU Commission. On the US side, an implementation framework must be put into place, including the creation of the Ombudsman’s office and passage of the Judicial Redress Act. In both Europe and the US, there will be skeptics who question the solidity of US assurances, particularly as to law enforcement and intelligence access to European data, and whether the EU-US Privacy Shield is a step forward in privacy protection or simply a rehash of the now defunct Safe Harbor.

We expect that the agreement will be supported this Wednesday February 3 by the European Data Protection Authorities and adopted by the EU Commission and put into place.

Prepare Yourself Now

Legal challenges may follow in some EU countries, but they will take some time to perfect, since alternative dispute resolution and annual EU-US joint review mechanisms are provided as new alternatives to potential claims before the European Court of Justice. In the meantime, US companies will need to make any necessary adjustments in order to accede to the new EU-US Privacy Shield.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.