E.U.-U.S. Safe Harbor / “Privacy Shield” Update

Posted by Matt CorneliaThe past month has been a busy one for lawmakers and data protection authorities. As previously noted, the E.U./U.S. “Safe Harbor” was terminated on October 6, 2016. On February 2, the E.U. and U.S. agreed in principle on a new transatlantic data transfer mechanism—Privacy Shield. Just a week later, Congress passed the Judicial Redress Act, which entitles citizens of designated foreign countries to bring claims against U.S. companies for data privacy violations under the Privacy Act of 1974. Most recently, the text of the E.U.-U.S. Privacy Shield was released on February 29, along with a draft adequacy decision from the European Commission. Notable differences between the old Safe Harbor and the new Privacy Shield include greater notice requirements, increased transparency, and stronger enforcement mechanisms. The agreed framework and newly released text of the Privacy Shield are important steps towards a renewed trust in transatlantic data flows between the E.U. and U.S. Until the European Commission officially releases an adequacy decision, however, the Privacy Shield is not officially adequate under E.U. law, and prior to that decision entities should continue to exercise caution in dealing with the new framework.Attorneys at Thompson & Knight continue to follow these developments. If you have additional questions, please contact one of Thompson & Knight’s Cybersecurity attorneys.