How the EU-U.S. Privacy Shield Impacts Data Transfers
This month, the European Commission announced plans for a new privacy framework to replace Safe Harbor, which protected personal information being transferred between the European Union and the United States for 15 years before being invalidated in October. Safe Harbor was declared invalid primarily due to concerns over U.S. authorities accessing personal data transferred between the U.S. and the EU Member States. American companies' compliance with surveillance requests from agencies such as the NSA potentially put them in conflict with the privacy policies put in place by Safe Harbor.
After the invalidation of Safe Harbor, negotiations over how to replace the transatlantic privacy framework went on for three months, with two issues causing the most delays: what access the U.S. security services have to European data and how Europeans can sue if their data is mishandled. Because the text of the new framework is not yet available, the details of these solutions and their enforcement are not yet known. According to a press release by the European Commission, however, the arrangement will include the following new features:
- Strong obligations on companies handling Europeans' personal data and robust enforcement
- Clear safeguards and transparency obligations on U.S. government access
- Effective protection of EU citizens' rights with several redress possibilities
While the EU-U.S. Privacy Shield is a positive development for many reasons, it's important to remember that the downfall of Safe Harbor represents the EU's general feeling, which has not shifted since Safe Harbor was invalidated, that privacy in the U.S. is not as strong as privacy in the EU. Although I disagree completely with that sentiment, it is important to be aware how many Europeans feel this way and to realize that the EU-U.S. Privacy Shield will continue to remain vulnerable to a similar fate as Safe Harbor.
Companies should therefore consider alternatives to the Privacy Shield and contemplate how to minimize data transfers or to execute them in a way that will appease EU critics, in order to create a corporate data transfer system that will be viable long-term. Lawful data transfers can be conducted through means such as Binding Corporate Rules and Standard Corporate Contracts.
The future of the Privacy Shield is uncertain at this point. The EU Data Protection Authorities (DPAs) requested that the full text be delivered for review by the end of this month, and they will likely deliver a recommendation in March. If the recommendation is positive, the Privacy Shield will go forward into becoming law; otherwise, negotiations between the EU and U.S. will resume. Stay tuned for updates on the changes to transatlantic data transfer policies that will come in the months ahead so that your business can remain compliant when transferring and storing European data.