On February 2, 2016, the European Commission announced that the EU and US had reached a new transatlantic data transfer agreement. Though not yet legally binding, the new agreement, referred to as the Privacy Shield, is intended to replace the 15-year old Safe Harbor Agreement struck down by the European Court of Justice (CJEU) on October 6, 2015 in the case of Maximillian Schrems v. Data Protection Commissioner. Schrems filed complaints against Facebook in Ireland where the company has its European headquarters, alleging that Facebook’s transfer of personal data from its EU servers to its US servers violated his privacy rights because the US did not adequately protect the transfer of his personal data. His claims were based on former National Security Agency (“NSA”) contractor Edward Snowden’s revelations about the US government’s mass data surveillance activities. The CJEU agreed that the NSA’s surveillance of European citizens violated their “fundamental privacy rights”, invalidated the Safe Harbor Agreement and set a three month deadline for the formulation of a new agreement.
The text of the Privacy Shield has not been published and is not expected to be disclosed for several weeks. However, the European Commission’s announcement highlighted that the new agreement will impose stronger obligations on companies in the US to protect the personal data of EU citizens, provide clear safeguards and transparency obligations on the US government and include a multi-step complaint resolution and redress mechanism. This announcement should bring some measure of relief to companies that house or transfer personal data of EU citizens.
The new arrangement will include the following terms:
- The US will create an Ombudsperson to handle complaints from EU citizens;
- The US Office of the Director of National Intelligence will give written commitments that EU citizens’ personal data will not be subject to mass surveillance;
- The EU and US will conduct an annual review to monitor the functioning of the new arrangement; and
- European data privacy watchdogs will work with the Federal Trade Commission to address any flagged problems.
The Privacy Shield still requires the approval of EU members states but may be implemented in as little as three months. In the meantime, the US will work towards the establishment of a framework for participation in the agreement including the appointment of an Ombudsperson in the State Department.