European Union and U.S. Department of Commerce officials announced a political agreement to replace the invalidated EU-U.S. Safe Harbor program with the “EU-U.S. Privacy Shield” on February 2, 2016. It is, at this time, only a “political agreement” because it must be approved by EU governmental authorities.
The announcement was short on specifics and raised many questions, most of which went unanswered in a press conference conducted by the U.S. Department of Commerce following the announcement. Questions abound for counsel to companies that transfer data from the EU to the U.S.
The agreement may engender opposition within the EU, and may be subject to challenge under the standards of the European Court of Justice in Schrems v. Data Commissioner.
The text of the new agreement is not yet available nor is there an effective date, and Commerce Department officials had little to offer in the way of details, but the main points of the agreement are as follows:
1. The U.S. will provide assurances that any surveillance of data of EU citizens will be targeted and proportionate. The U.S. State Department will appoint an Ombudsperson to take complaints from EU citizens regarding surveillance by U.S. intelligence agencies. The Ombudsperson’s authority is as yet unclear.
2. While there is no direct right of judicial redress for EU citizens aggrieved by data disclosures of, or access by, U.S. entities, the Federal Trade Commission will cooperate with EU Data Protection Authorities with regard to complaints of inappropriate stewardship of their data by U.S. entities. In addition, U.S. companies in the new program must offer alternative dispute resolution (“ADR”) to EU citizens at no cost (ADR was required in the former Safe Harbor, but at a cost). Arbitration may be available if the ADR proceeding is not resolved to the EU citizen’s satisfaction, but no details have been provided.
3. S. companies must register with the new program and certify that they will abide by the program’s data safeguard principles (not yet provided).
There is much uncertainty, including the survival chances of this agreement as it wends its way through the required EU approval levels. Could it withstand a court challenge and will the “grace period” observed by EU Data Protection Authorities be extended during the approval period? Companies would be well advised to continue on their current courses with regard to alternatives to the old Safe Harbor until text details for the new program are available.
If you have questions as to data transfers from the EU, please contact Kenneth N. Rashbaum.