US Safe Harbor update: EU-US Privacy Shield – a new framework for data transfers

UntitledOn 6 October 2015, the European Court of Justice (ECJ) ruled that the previously established Safe Harbor framework was invalid as a mechanism to approve transfers of personal data between Europe and the US. Following that decision, the national Data Protection Authorities (Article 29 Working Party) called EU and US officials to renegotiate Safe Harbor before the end of January 2016.

On 2 February 2016, the European Commission and US agreed on a new framework: the EU-US Privacy Shield will permit transatlantic transfers of personal data, and reflects the requirements of the ECJ’s October 2015 ruling. On 3 February, the Working Party confirmed that the new framework will supersede the Safe Harbor scheme.

Implications of the new agreement

US companies will now need to commit to “robust obligations” when processing European citizens’ personal data and preserving their rights. The US Department of Commerce will be charged with overseeing companies’ commitments, and the Federal Trade Commission will manage enforcement. US companies handling human resources data from Europe will also have to comply with the European Data Protection Authorities.

“Clear safeguards and transparency obligations” with “clear limitations, safeguards and oversight mechanisms” will now be placed on US government agencies that wish to access European citizens’ personal data, and mass surveillance will only be permissible in very limited circumstances.

The Working Party has also specified “four essential guarantees” that the US Government must adhere to, including clear processing rules and the need to strike a balance between the objectives of data collection and access, and the rights of individuals. New remedies for citizens’ redress have also been introduced, including the establishment of a complaints ombudsman.

Next steps

The Working Party has given the European Commission until the end of February 2016 to disclose a copy of the agreement, so it can assess compliance with the ECJ ruling and the Data Protection Authorities’ expectations. Until this time, the agreement will not be legally binding.

Meanwhile, companies can still rely on other legal mechanisms to transfer data between the EU and US, such as EU model clauses or Binding Corporate Rules. Companies should, however, prepare now for the changes ahead.

EY Legal Services Contacts:

Fabrice Naftalski – Global Data Privacy Leader

Peter Katko – Global Digital Law Leader