EU-U.S. Safe Harbor Agreement

On October 23, 2019, the European Commission (“Commission”) published its Report on the third annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report “confirms that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” (see also the Commission’s Press Release).  The Report welcomed a number of improvements following the second annual review, including efforts made by U.S. authorities to monitor compliance with the framework, as well as key appointments that have been made in the last year.  The Commission in particular noted the appointment of Keith Krach to the position of Privacy Shield Ombudsperson on a permanent basis, filling a vacancy that had been noted in previous reviews.  The Report also provided a number of recommendations for further improvement and monitoring.

Recognizing that, in its third year, Privacy Shield has “moved from the inception phase to a more operational phase,” the Report placed particular emphasis on the effectiveness of the “tools, mechanisms and procedures in practice.”  Not only has the number of Privacy Shield certifications exceeded 5,000 companies — eclipsing in three years the number of companies that had registered to the Safe Harbor Framework in its nearly 15 years of existence — the Report also noted that “an increasing number of EU data subjects are making use of their rights under the Privacy Shield and that the relevant redress mechanisms function well.”

As with prior reviews, the Commission sought feedback from trade associations, NGOs, and certified companies, and  addressed the functioning of (i) the framework’s commercial aspects, and (ii) U.S. authorities’ access to personal data.

Continue Reading Privacy Shield Third Annual Review

On January 12, 2017, the U.S. Federal Trade Commission announced the adoption of a Swiss-U.S. Privacy Shield, to replace the existing Swiss-U.S. Safe Harbor Agreement.  Companies have a three month grace period to switch from the old to the new regime.

The Swiss version of the Privacy Shield had to be negotiated following the invalidation

On September 16, 2016, Digital Rights Ireland (“DRI”), a digital rights advocacy group, lodged an action with the EU General Court for annulment of the European Commission’s Decision on the EU-U.S. Privacy Shield arrangement.  While the existence of the application has only recently become public knowledge, it was widely-expected that the Privacy Shield would face a legal challenge.  It is also unsurprising that DRI have brought the action (given its objections to the Privacy Shield before it was agreed and its intervention in the Safe Harbor case).

Background

The Privacy Shield was agreed earlier this year, replacing the Safe Harbor framework that was invalidated by the Court of Justice of the EU (“CJEU”) in Schrems.  The Privacy Shield provides a legal basis for transfers of personal data from the European Economic Area to Privacy Shield-certified companies in the U.S.  To date, over 600 companies have certified to the Privacy Shield.  The Privacy Shield contains a much more robust set of commitments than those underpinning the Safe Harbor and will provide stronger protections to data subjects in the EU than its predecessor.
Continue Reading Challenge to EU-U.S. Privacy Shield Lands at EU Court

On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here).

That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11).  Once translated and published in the Official Journal of the EU, the adequacy decision will then enter into force.

However, there may need to be an implementation period during which the EU and U.S. put in place relevant structures; it is expected that Commissioner Věra Jourová will provide more details to the European Parliament on Monday, and in a joint press conference on Tuesday with U.S. Secretary of Commerce Penny Pritzker.

Once that implementation phase is complete, U.S.-based companies will be able to self-certify under the Privacy Shield.  Doing so provides a legal basis which entities in the European Economic Area can rely on to transfer personal data to those Privacy Shield-certified companies in the US.
Continue Reading Privacy Shield Deal Passes Major EU Hurdle

Today, the Article 29 Data Protection Working Party (“Working Party”), a group consisting of representatives from the European data protection authorities, the European Data Protection Supervisor, and the European Commission, published its opinion on the EU-U.S. Privacy Shield draft adequacy decision (“Opinion”) (see here). The Opinion is accompanied by a second document, Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (“European Essential Guarantees”) (see here). This document sets out EU standards for surveillance by public authorities in the EU and U.S., as formulated by the Working Party. The Working Party also issued a press release (see here). The chairwoman of the Working Party, CNIL President Falque-Pierrotin, presented the documents today in a press conference, a recording of which is available here.

According to the Working Party, the Privacy Shield contains significant improvements compared to the now-defunct EU-U.S. Safe Harbor framework; however, there remain certain concerns and a need for clarification. 
Continue Reading EU Data Protection Authorities Call For Further Clarifications on the EU-U.S. Privacy Shield and Raise Some Concerns

As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.

A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor.  In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.

  1. Tougher and Binding Remedies and Enforcement

In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days.  If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body.  The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).

Continue Reading Privacy Shield: Top Five Reasons It’s Tougher Than the Safe Harbor, Whether You Should Certify, and Next Steps

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment.  Until then, here is a summary of the approach that some of the national DPAs are taking:
Continue Reading EU DPA Enforcement Guidance Post-Schrems

On February 3rd, the Article 29 Working Party, representing Europe’s data protection authorities, published its reaction to the announcement of a new “Privacy Shield” political agreement between the European Commission and the U.S. Government.  The Privacy Shield agreement, announced on February 2nd (and further described in our blog post here), is intended to replace the now-defunct Safe Harbor Framework, and may form a future legal basis for transatlantic data flows between Europe and the United States.
Continue Reading Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement

Today (February 2nd, 2016), the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.
Continue Reading Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield