'Privacy Shield' Framework Announced for Data Transfers from the European Union to the United States

February 4, 2016

On February 2, 2016, the U.S. and European Commission announced they had reached a political agreement on an “EU-U.S. Privacy Shield,” which is intended to establish a new framework for the transfer of personal data from the European Union (EU) to the U.S. The agreement, the result of months of intense negotiations, aims to resolve the uncertainty that has resulted following the Schrems decision by the European Court of Justice (ECJ) in October 2015, which struck down the original information-sharing Safe Harbor arrangement that had been in place since 2000.

Schrems decision

In Schrems v. Data Protection Commissioner, the ECJ invalidated the European Commission’s decision in 2000 on the adequacy of U.S. privacy protections established under the Safe Harbor scheme to facilitate the transfer of European citizens’ personal information between the E.U. and the U.S. Under that agreement, U.S. companies were allowed to self-certify their compliance with EU privacy laws. The court in Shrems ruled that any data transferred outside of the EU must receive “essentially equivalent” privacy protections to those in the EU, and expressed concern that U.S. governmental surveillance made that equivalency impossible. The court focused on the fact that certain U.S. legislation permitted U.S. public authorities to store and access personal data transferred from the EU to the U.S. on a generalized basis. It held such access was without any limitation in accordance with the principle of necessity, and there were no remedies available to EU citizens to access, rectify, or erase such data. For these reasons the ECJ held the Safe Harbor scheme compromised the fundamental rights of EU citizens to their private life, on which EU data protection rules are based.

The Safe Harbor scheme had allowed over 4,000 companies to transfer data from the EU to the U.S. However, following the Schrems decision, data protection authorities (DPAs) of the EU member states maintained that such international transfers of personal data could not take place under Safe Harbor until the shortcomings identified by the court had been remedied, creating significant uncertainty for these companies and their customers. Further increasing this uncertainty, the advisory organization representing the DPAs of all EU member states, the Article 29 Working Party (29WP), has taken the position that the Schrems judgment means the Safe Harbor does not provide a valid mechanism for transferring data. According to the 29WP, the only permitted alternatives available to such companies are to use specific standard contractual clauses or binding corporate rules, although these may not be appropriate for the types of activities and transfers envisaged by these companies.

Features of the Agreement

While the precise details and contours of the EU-U.S. Privacy Shield are still being finalized on both the EU and U.S. sides, press releases from EU Justice Commissioner Vera Jourová and the U.S. Department of Commerce indicate that the agreement includes:

  1. Strong obligations on companies handling Europeans’ personal data and robust enforcement
    In particular, U.S. companies will need to commit to robust protections for European data. The Department of Commerce will monitor compliance, and the Federal Trade Commission will be responsible for taking enforcement action against noncompliant companies. Furthermore, companies handling human resources data from the EU must commit to being bound by decisions by EU DPAs. 
  2. Clear safeguards and transparency obligations on U.S. government access to data
    The U.S. government has assured the European Commission that U.S. government and law enforcement access to Europeans’ data will be limited, and allowed only to the extent necessary. Under the agreement, there will be an annual joint review by the Department of Commerce and the European Commission of these safeguards, including exceptions for national security purposes.
  3. Effective protection of EU citizens’ rights with multiple avenues for redress
    European citizens who believe their data has been misused will have several redress avenues, including Alternative Dispute Resolution at no charge to the individual. They can also register complaints with their country’s DPA for referral to the Department of Commerce and FTC. For complaints relating to possible access by the U.S. intelligence community, an ombudsman will be established in the State Department to act as a first point of contact.

Next Steps

Within the next few weeks, Commissioner Jourová and Andrus Ansip, Vice President for the Digital Single Market, are expected to issue an “adequacy decision” confirming that the Privacy Shield will provide “essentially equivalent” privacy protections for Europeans’ data in the U.S. as they would have in Europe. This can only be adopted by the European Commission after it has consulted national DPAs and representatives of the EU’s 28 member states.

One important component of the Schrems judgment was the finding that the supervisory powers of DPAs, as established by current EU data protection laws, cannot be curtailed by an adequacy decision by the European Commission. For this reason, the DPAs’ response to the European Commission’s adequacy decision as to the EU-U.S. Privacy Shield will be key. In its initial response, the 29WP has welcomed the agreement but indicated it will need to review the details before giving its approval. In a sign that the framework might meet with some resistance, the 29WP reiterated concerns that the current U.S. legal framework did not adequately protect certain guarantees afforded under EU data protection law. Separately, European privacy-rights advocates are said to be preparing to file legal challenges to the agreement, having expressed concern that the agreement does not comply with European law and that U.S. laws remain unchanged.

On the U.S. side, the Department of Commerce, FTC, and State Department are preparing for the introduction of the new framework, the establishment of a monitoring mechanisms and the creation of a new Ombudsman’s office.Further details of the EU-U.S. Privacy Shield should be available in the coming weeks, and if the new framework is approved by both sides, it is expected to be introduced within three months.

With the potential introduction of the EU-U.S. Privacy Shield, entities that collect user data on an international basis may have to navigate through several and possibly conflicting obligations in numerous jurisdictions, including the adoption in the U.S. of the Cybersecurity Act of 2015 and China’s adoption of data privacy measures in its Anti-Terrorism Law1 and the pending draft of the Cyber Security Law., entities that collect user data on an international basis may confront numerous and possibly conflicting obligations in numerous jurisdictions. These obligations should be considered when it facilitates the correct control, processing and transfer of data, or framing an effective incident response plan where data has been lost or stolen.

Clients with any further queries in relation to these developments are invited to contact O’Melveny & Myers for further information and advice.

1See Here

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Ronald Cheng, an O'Melveny partner licensed to practice law in California and as a Registered Foreign Lawyer in Hong Kong, Matthew Close, an O'Melveny partner licensed to practice law in California, Tom Donilon, an O'Melveny partner licensed to practice law in the District of Columbia, Randy Edwards, an O'Melveny partner licensed to practice law in California, Danielle Gray, an O'Melveny partner licensed to practice law in New York, Jeremy Maltby, an O'Melveny partner licensed to practice law in California, the District of Columbia, and New York, Killian Kehoe, an O'Melveny associate licensed to practice law as an Avocat in Belgium and as a Solicitor in Ireland, and Evan Schlom, an O'Melveny associate licensed to practice law in the District of Columbia and California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York's Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, Phone:+1-212-326-2000. © 2016 O'Melveny & Myers LLP. All Rights Reserved.