The E.U. and U.S. “Privacy Shield” – A Safe Harbor 2.0?

Posted by Matt CorneliaDating back to 1995, personal data transfers out of the E.U. required an “adequate level of protection” under Directive 95/46/EC. In order to streamline the process of ensuring adequate protection of personal data transfers from the E.U. to the U.S., data protection authorities negotiated the Safe Harbor agreement. The Safe Harbor agreement allowed U.S. companies to self-certify that they complied with E.U. privacy standards and thus lawfully transfer personal data from the E.U. In October of 2015, however, the European Court of Justice invalidated the popular Safe Harbor agreement, noting that it failed to provide adequate protection of personal data. The decision has left many companies that relied on the Safe Harbor framework searching for an alternative means to lawfully transfer personal data out of the E.U.Earlier this week, on February 2, 2016, U.S. and E.U. privacy working groups announced that they were able to reach an agreement to replace the invalidated Safe Harbor framework with a new framework called “Privacy Shield.” This announcement is welcome news for companies that transfer the personal data of E.U. citizens outside of the E.U. While the specifics of Privacy Shield remain unclear, the European Commission has announced several important themes.Some of the key themes of the Privacy Shield include:Clear limits will be placed on access to personal data by U.S. authorities.U.S. data protection authorities will implement more robust monitoring and enforcement.Companies must publish their commitments to data protection (rather than self certify), which will result in the FTC having enforcement authority.European residents will have standing to challenge how their data is handled by data processors through an ombudsmen that will act independent of intelligence agencies.There will be stronger obligations on U.S. companies and information service providers to protect data.Attorneys at Thompson & Knight continue to follow these developments closely. If you have additional questions, please contact one of Thompson & Knight’s Cybersecurity attorneys.