Mayer Brown discusses EU and US Agreement on Scheme to Replace Safe Harbor: EU – US Privacy Shield

In October 2015, the Court of Justice of the European Union (“CJEU”) held that transfers of personal data from Europe to the United States made under the so-called US Safe Harbor scheme were invalid as those transfers did not ensure an adequate level of protection under European data protection law.

In the aftermath of that decision, the Article 29 Working Party, the organisation that represents the data protection authorities of the European Union, set 31 January 2016 as the deadline by which the representatives of the European Union and the United States had to find solutions to address the significant risks identified by the CJEU with respect to the transfer of personal data to the United States. At the time, the Article 29 Working Party made it clear that if no appropriate solution was reached with the United States by the deadline, European data protection authorities were committed to take all necessary and appropriate actions, which might include taking coordinated enforcement action. That deadline has now expired.

On 2 February 2016, the European Commission announced that it had reached a high level agreement on a series of measures with the United States to resolve the issues identified in the CJEU’s ruling. These are as follows:

  • The Safe Harbor scheme will be replaced by a scheme called “EU – US Privacy Shield” which will be administered by the US Department of Commerce. European and United States representatives will confirm the process and timing for the transition from the Safe Harbor to the EU – US Privacy Shield scheme in due course.
  • By joining the EU – US Privacy Shield scheme, an organisation will be able to import personal data from Europe into the US provided that organisation publicly commits to the manner in which and the purposes for which it will process personal data in the US and agrees to comply with enhanced requirements about the manner in which personal data will be processed by it. Existing restrictions concerning onward transmission of personal data from the US to other countries will be tightened.
  • Each organisation that certifies that it complies with the EU – US Privacy Shield scheme will have its compliance with the scheme monitored and reviewed by the US Department of Commerce. If an organisation is found to have not complied with its commitments, sanctions will be applied against that organisation by the US Federal Trade Commission and it may be removed from the EU – US Privacy Shield scheme certified list.
  • If an individual has a complaint with respect to the way in which his or her personal data has been processed by an organisation that has certified to the EU – US Privacy Shield scheme, the complaint must be considered free of charge by the organisation in question within a limited timeframe in the first instance. If that complaint is not resolved, the individual concerned may refer the complaint free of charge to his or her European data protection authority, which may decide to refer the complaint to the US Department of Commerce and Federal Trade Commission for their consideration. The US Department of Commerce and Federal Trade Commission will be required to investigate and resolve the complaint within a reasonable but limited timeframe. If the complaint is not resolved to the individual’s satisfaction, the complaint can be referred to arbitration for final resolution.
  • The US Director of National Intelligence will provide a binding, written assurance to the European Union that access to personal data about European citizens for national security and law enforcement purposes will only occur to the extent it is necessary and proportionate, that it will be subject to clear limitations, safeguards and oversight mechanisms and that no indiscriminate or mass surveillance on personal data transferred to the US under the new scheme will occur.
  • The Judicial Redress Act must be passed by US Congress so that European citizens have the same rights of redress as US citizens with respect to unlawful access of their personal data by US public bodies. Any complaints about access to personal data by US national intelligence authorities that have been referred to the US by European data protection authorities will be heard by an ombudsman to be appointed in due course. The ombudsman will operate independently of the US national security authorities.
  • There will be a joint annual review of and report into the functioning and compliance with these arrangements by the European Commission and US Department of Commerce.

The European Commission anticipates that it will take three months for European and United States authorities to finalise and put in place the arrangements that have been agreed, meaning that the EU – US Privacy Shield scheme should be implemented in May 2016.

Following the announcement and its discussions with the European data protection authorities in the next few days, the European Commission intends to adopt a decision that confirms that processing of personal data in the US by organisations that are certified under EU – US Privacy Shield, once implemented, will be deemed to be adequately protected in accordance with European data protection law.

The full memorandum was originally published by Mayer Brown on February 3, 2016, and is available here.