This morning, the European Commission and US Department of Commerce agreed on a Safe Harbor replacement deal, rebranded as the EU-US Privacy Shield. The deal was first announced via Twitter by EU Justice Commissioner Vera Jourová, then detailed in a press conference in Strasbourg, France.
While details of the agreement have not been disclosed, the EU-US Privacy Shield reportedly addresses requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the previous framework invalid. In her press conference, Commissioner Jourová emphasized the following three elements of the new deal:
- Strong obligations on companies handling Europeans' personal data and robust enforcement;
- Clear safeguards and transparency obligations on US government access; and
- Effective protection of EU citizens' rights with several redress possibilities.
According to the European Commission, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms, enforced by the Department of Commerce and Federal Trade Commission.
Tomorrow, the Article 29 Working Party (European data authorities) will share their recommendations on the transfer of digital information outside of the European Union. An "adequacy decision" will be drafted after consulting the Working Party and a committee representing the member states of the European Union. In the meantime, the US is making preparations to implement the new framework and install a State Department ombudsman, who will be a first point of contact for Europeans if they believe American government agencies have misused their data.
We will continue to monitor developments in the Privacy Shield and share analysis on the new framework as more details become available. For questions or assistance regarding data protection and transfer issues, please contact Sarah L. Bruno or Eva J. Pulliam.