Restoring Trust: EU-US Privacy Shield Replaces Safe Harbor

Personal privacy has become a contentious issue that generates a great deal of debate within our society and among policy makers. How someone’s personal data may be used by third parties is the subject of considerable debate and has resulted in important court decisions, not the least of which is the Safe Harbor Decision in 2000.

In our previous blog post about Safe Harbor, we provided some background information on the history of the agreement between the U.S. and the European Union (EU). We also discussed the impact of the judgment by the European Court of Justice (ECJ) ruling that the Safe Harbor Decision and its resulting agreement were both invalid. That left a void for American businesses operating in Europe that had negotiators from both sides of the Atlantic scrambling to work out a new agreement since Safe Harbor was struck down in October 2015.

Introducing Privacy Shield

European data protection authorities (DPAs) gave the EU and the U.S. until the end of January 2016 to work out a suitable successor to Safe Harbor that would adequately address the problems with Safe Harbor that were highlighted by the ECJ. Although negotiators failed to meet their deadline, they announced on February 2, 2016 that they had reached a new agreement that would ensure greater protection for personal information that is moved from Europe to the U.S.

The new deal, dubbed the EU-US Privacy Shield, brings with it tougher new requirements for American businesses and government agencies. It promises to hold U.S. companies more accountable for how they handle personal data entering the country from Europe and to place clear restrictions and limits on how U.S. law enforcement and national security agencies can access this data. Most importantly, the Privacy Shield agreement introduces methods by which EU citizens file complaints and seek corrective action when they believe that their personal data has been misused.

What Comes Next?

Without a well-defined mechanism in place to support the protection of EU personal data in the U.S., Europeans could not be blamed for being skeptical about the effectiveness of Privacy Shield. However, in late February 2016, U.S. President Barack Obama signed into law the Judicial Redress Act. This new law effectively provides select allies of the U.S. with the same protection offered to U.S. citizens under the Privacy Act.

The passing of the Judicial Redress Act was resoundingly welcomed by the European Commission, which acts as the executive body for the EU.

“This agreement will guarantee a high level of protection of all personal data, regardless of nationality, when transferred across the Atlantic for law enforcement purposes,” said Justice Commissioner Věra Jourová from the European Commission. “It will strengthen privacy, while ensuring legal certainty for transatlantic data exchanges between police and criminal justice authorities.”

In addition to the new law, the U.S. is also required to implement a new framework and monitoring mechanism to ensure proper handling of personal data from the EU and to appoint a new Ombudsman to handle complaints.

On the other side of the pond, the European Commission must draft an “adequacy decision” that will form the basis of a proposal to be considered by a working party composed of the DPAs of the EU member states as well as a separate committee before being adopted by the Commission. While the adequacy decision is expected to be ready by the end of February, the working party has announced that it would make its opinion on the agreement known by the end of March.

By establishing a well-defined system to ensure that all personal data coming from Europe into the U.S. is adequately protected, a greater level of trust can be built between EU citizens and American companies. The safeguards that will be put in place under Privacy Shield will be much stronger and more enforceable that those that were in place with Safe Harbor.