EU and U.S. Reach Agreement on Safe Harbor Replacement: 'EU-U.S. Privacy Shield'

The European Commission (EC) and U.S. Department of Commerce (DOC) have been negotiating a new Safe Harbor framework (Safe Harbor) governing the transfer of data from the European Union (EU) to the U.S. for over two years. After invalidation of Safe Harbor in October 2015 by the European Court of Justice (ECJ), EU Member State data protection authorities (DPAs) agreed to hold off on enforcement against companies utilizing Safe Harbor until January 31, 2016, thus imposing a de facto deadline on the framework negotiators to agree on a replacement by that time.

Today, the negotiators reached a deal on the successor framework, named the "EU-U.S. Privacy Shield" (Privacy Shield), to replace the invalidated U.S.-EU Safe Harbor framework.

Highlights of the Privacy Shield

Although the details of the arrangement have yet to be released, the EC announced some high-level points regarding the revamped program:

• It will include annual joint review of the program, by EC, DOC, DPAs and the U.S. national security agencies to evaluate whether changes are necessary.
• The EC is satisfied with the transparency and safeguards related to U.S. national security data collection that have now been put in place, including U.S. legislation curbing national security data collection, executive orders, the proposed Judicial Redress Act, and written assurances from the U.S. Director of National Intelligence.
• There will be an ombudsman in the U.S. Department of State who will follow up on referrals from national DPAs regarding EU citizen complaints about national security data use.
• There will be an added stop-gap dispute resolution mechanism in the form of binding arbitration for company data use cases that are not resolved after using other channels (namely direct complaint to company, independent recourse mechanisms, and DPA referral to U.S. authorities).
• There will be new requirements for onward transfers, that will likely require adapting existing contracts with  sub-processors.
• EU Commissioner Věra Jourová estimates that it will take approximately three months to have the Privacy Shield in place and ready for use after finalization and ratification in the EU and the U.S.

The Article 29 Working Party (WP29), consisting of the DPAs of all 28 Member States, is scheduled to meet in Brussels on February 3. Commissioner Jourova will discuss the Privacy Shield at that meeting, and seek the further advice of the WP29 on the new framework. We will provide further information after the meeting.

In addition, if the WP29 provides no new "grace period" for companies using the old Safe Harbor framework to legitimize data transfers, U.S. companies will have to rely on other mechanisms until the Privacy Shield becomes effective and companies certify to the terms of the new program. Until that time, the options include:

• EU-approved model contract clauses.
• Binding Corporate Rules (for intra-company transfers only).

Certain other specific derogations that are narrowly interpreted may also apply, including:

• Informed consent of the data subject (though this may not be possible for human resources or other data relating to employees).
• Performance of a contract (e.g., limited to circumstances such as booking a hotel in the U.S. where personal information must be provided to the U.S. entity to fulfill the contract).
• Important public interest grounds (e.g., cooperation between authorities regarding fraud or cartel investigations).
• The vital interest of the data subject (e.g., urgent life or death situations).