The European Union and United States announced today that they reached a new agreement, referred to as the EU-U.S. Privacy Shield (“Privacy Shield”), to replace the Safe Harbor Agreement struck down by the European Court of Justice in the Schrems decision, which more than 4,000 companies were able to use for the transfer of personal information concerning European citizens to the United States in the course of business.
The text of the Privacy Shield is not yet publicly available, and negotiators appear to be continuing to give attention to some of the wording. Thus, information on the Privacy Shield is incomplete and is drawn from initial governmental press releases, statements and briefings. As additional information becomes available, we will update with further guidance.
EU Justice Commissioner Jourova refers to the Privacy Shield as taking a “trust but check” approach. Regular reviews, including annually, are built into the agreement, and there will also be a suspension clause that can be invoked if it fails to operate appropriately. Some reported new and revised provisions, as compared to the prior Safe Harbor regime, include written assurances from the United States that any use of Europeans’ personal data for intelligence purposes will be necessary and proportionate, and a greater variety of avenues by which European citizens might obtain redress of concerns with handling of their data by U.S. intelligence agencies or corporations. Depending on the specific type of claim and circumstances, this could include access through European state representatives to an ombudsman in the U.S. State Department to address whether the safeguards concerning a European citizen were met and, as a last resort, if a company does not resolve a claim by a European citizen about how his or her personal data was handled, free binding arbitration with the possibility of judicial review subject to the Federal Arbitration Act. The U.S. Department of Commerce will monitor that companies publish their commitments, which will then be enforceable by the Federal Trade Commission. As always, the FTC will have the discretion to bring complaints, and there reportedly is some strengthening of commitments regarding FTC cooperation.
The new agreement will generally be welcomed by the business community on both sides of the Atlantic, even as they wait to see the details. Supporters are hopeful that it will allow for continued efficient handling of data subject to appropriate privacy protections, which will be important to the economies of Europe and the United States. At the same time, the new agreement will not be welcomed universally, as has been well-understood for some time. Some privacy advocates will be disappointed, and it will be challenged in the EU, as was the Safe Harbor agreement. The negotiators sought to reach an agreement that would withstand such tests. The reaction of the Data Protection Authorities will also be watched, and important developments may come quickly.
Initial estimates are that the Privacy Shield will take months to be put in place.