Better Late Than Never: U.S. and EU Regulators Reach Data Privacy Agreement
Officials from the United States and European Union have reached a tentative agreement regarding transfers of personal data by European individuals and businesses to the United States. As stated in the agreement, “This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” When finalized, it will replace a previous safe harbor agreement between the U.S. and EU, which was struck down by the European Court of Justice (ECJ) in October 2015. This agreement comes several days after a self-imposed deadline for crafting new terms.
The central issue concerns the transfer of personal information from the EU to the U.S. Under the European Data Protection Directive, personal data cannot be sent to a third country unless that country can ensure an adequate level of data protection. Countries can self-certify that they meet these standards if they have certain regulatory regimes in place and/or are signatories to certain international agreements. The European Commission can then grant these countries safe harbor status under European law.
In October 2015, the ECJ decided that national supervisory authorities could still investigate possible breaches of European data privacy rules even if the European Commission had granted the country safe harbor status. This had the effect of potentially requiring U.S. companies receiving information from Europe to prove that they were compliant with European data privacy rules — and face penalties if they did not. The specific concern in the October 2015 case was that the U.S. government could view personal data in the possession of private companies.
This new agreement, called the “EU-US Privacy Shield,” takes several steps to address the issues cited by the ECJ in its October 2015 ruling. It includes commitments under U.S. law for public authorities to assure that access to transferred personal data will be subject to clear conditions, limitations and oversight, preventing generalized access. Its provisions include:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement;
- Clear safeguards and transparency obligations on U.S. government access; and
- Effective protection of EU citizens’ rights with several redress possibilities.
Under the new agreement, the U.S. “has ruled out indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement.”
The U.S. Department of Commerce and the Federal Trade Commission are tasked with enforcing the new rules. The EU-US Privacy Shield also creates an Ombudsman position within the State Department to act as the initial contact for aggrieved Europeans who believe that U.S. government agencies have misused their personal data. Furthermore, the EU and U.S. will review the guarantees laid out in this agreement each year.
Negotiators will spend the next several weeks ironing out the details of the new agreement. European negotiators will create an “adequacy decision” to be adopted by European Commissioners. Meanwhile, the U.S. will “make the necessary preparations to put in place the new framework, monitoring mechanisms, and new Ombudsman.”
If you have any questions on how this could impact your business, please contact a member of the GS Cybersecurity and Data Privacy team.