Litigation Alert: From a Safe Harbor to a Privacy Shield

The October 6, 2015, decision of the Court of Justice of the European Union in the Schrems v. Facebook case left significant uncertainty surrounding the legality and practicality of U.S. technology companies’ ability to process and use personal data received from the EU, in the absence of the Safe Harbor framework. Since that date, parties on both sides of the Atlantic have been waiting for clear guidance from U.S. and EU regulators on how to deal with data transfer between the EU and U.S. Pressure only mounted as the January 31st, 2016, deadline set by Europe’s national data protection authorities came and passed. But today, U.S. and EU regulators announced that they have come up with a new framework for transatlantic data flows, dubbed the EU-U.S. Privacy Shield.

What do we know?

Details and the actual text of the Privacy Shield agreement between the EU and U.S. were not immediately available, but regulators on both sides have confirmed that the parties have reached an agreement in principle that will allow for the continuation of an important mechanism for transatlantic data transfers outside of binding corporate rules and model contractual clause arrangements. As of now, only a few key elements of the Privacy Shield framework have been identified:

• strengthened cooperation between the FTC and EU authorities;
• commitments from the U.S. that access to EU data for national security and law enforcement purposes will be subject to clear conditions, limitations and oversight mechanisms;
• the creation of an ombudsperson within the State Department to receive and respond to concerns and complaints regarding data access by the U.S. law enforcement and intelligence agencies;
• strong obligations on companies handling Europeans’ personal data and robust enforcement, including monitoring by the Department of Commerce; and
• multiple avenues for resolution of disputes between European individuals and companies, including a requirement that companies offer Europeans the option of choosing forms of alternative dispute resolution, at no cost to the individual.

For now, these broad strokes are all that is known about the accord, as neither EU nor U.S. officials have provided details on when the final text may be released. The Department of Commerce has, however, indicated that it is planning to offer briefings regarding the Privacy Shield framework, and how it differs from the prior Safe Harbor framework.

What’s next?

The next major milestone is securing approval for the Privacy Shield framework. To do so, the European Commission will prepare a draft “adequacy decision” to present to the Article 29 Working Party and the Member States before the Privacy Shield framework can be approved and adopted. Commissioner Věra Jourová has indicated this process could take up to three months.

So what about now?

In the meantime, it remains to be seen what view the European data protection authorities will take with regards to current non-compliance with EU laws regarding data transfers. It would seem unlikely that regulators will aggressively bring enforcement actions given that the framework is still in a state of flux and a new Shield is imminent. However, companies should continue to evaluate ways to mitigate risk.