EU, U.S. Agree on New Safe Harbor Framework

The European Union and the United States recently agreed on a new framework that will allow for trans-Atlantic data flows between Europe and the United States.

The College of Commissioners approved the so-called “EU-U.S. Privacy Shield,” which replaces the Safe Harbor agreement. Furthermore, it has mandated that Andrus Ansip, vice president for the Digital Single Market on the European Commission, and Commissioner Vera Jourová prepare the necessary steps to put in place the new arrangement. “This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses,” the European Commission stated.

As Compliance Week previously reported, the EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its October 2015 ruling in the case Schrems v. Data Protection Commissioner. In that case, the European Court of Justice ruled that the U.S.-EU Safe Harbor Framework, in place since 2000, was invalid.

The decision effectively meant that personal data transferred from Europe to the United States was no longer presumed to be protected adequately—and gave individual EU nations authority regulate that flow of data much more vigorously, or bar it entirely. Nearly 4,500 companies that self-certified under Safe Harbor principles have faced legal uncertainty over their EU-U.S. commercial data transfers since the Schrems decision.

Following the ruling, Ansip and Commissioners Oettinger and Jourová met with business and industry representatives who asked for a clear and uniform interpretation of the ruling, as well as more clarity on the instruments they could use to transfer data. That led the Commission to issue guidance for companies on the possibilities of transatlantic data transfers following the ruling until a new framework is put in place.

Safe Harbor 2.0

The new arrangement will provide stronger obligations on U.S. companies to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. In a statement, Ansip said the new framework is “robust and offers significant improvements compared to the old framework.”

“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” Jourová said. “Also for the first time, EU citizens will benefit from redress mechanisms in this area.”

Specifically, the new arrangement will include the following elements:

Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the FTC. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European data protection authorities (DPAs).

Clear safeguards and transparency obligations on U.S. government access: For the first time, the United States has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The United States has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.

Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new ombudsperson will be created.

The College of Commissioners has mandated that Ansip and Commissioner Jourová prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the member states.

In the meantime, the United States will make the necessary preparations to put in place the new framework, monitoring mechanisms, and a new ombudsman.