After January 31, 2016, the deadline imposed by WP29 expired. Pessimism was expressed regarding the ability of the EU and U.S. to reach a deal that addresses the requirements set out by the Court of Justice of the European Union (CJEU) in Maximilian Schrems v. Data Protection Commissioner, European Commission Vice President Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality, Věra Jourová. It was announced on February 2, 2016, that the EU Commission and the U.S. have agreed on a new arrangement − the “EU-U.S. Privacy Shield” − which will replace the Safe Harbour agreement. The arrangement is intended to come into effect within three months of the announcement. During this time, the EU and U.S. have to finalize the implementation mechanism and the monitoring regime. EU Council commissioners (college) have given the mandate to Vice President Ansip and Commissioner Jourová to prepare a draft adequacy decision to adopt the EU-U.S. Privacy Shield.
The EU-U.S. Privacy Shield, as presented to Vice President Ansip and Commissioner Jourová, should meet the requirements of the CJEU’s Schrems decision and include:
- a new framework arrangement, which will not be a one-off decision as it was in 2000, as it is subject to annual joint reviews and the EU Commission will evaluate and report once a year (with the first annual review held in 2017);
- a strong U.S. commitment not to carry out mass surveillance of EU citizens and access to data made transparent by all means, including public authorities, media, companies and civil society; and
- a three-step mechanism providing independent oversight and individual redress rights, including the creation of an independent and dedicated U.S. ombudsperson to ensure that U.S. authorities process EU citizens’ data in a lawful way and provide them with a real capacity to act and exercise redress rights.
Once implemented, the EU-U.S. Privacy Shield safeguards should also address concerns raised in relation to transfers of personal data to the U.S. outside of the Safe Harbour arrangement, including pursuant to EU-approved Standard Contractual Clauses. The coming days and weeks will shed more light on the terms of the EU-U.S. Privacy Shield and its implementation framework. We will monitor these changes and report to you on a regular basis. Should you need assistance, please do not hesitate to contact the McGuireWoods data privacy and security team.
For more information on ex-Safe Harbor, please also refer to the following prior Password Protected blog posts:
U.S. Chamber of Commerce and BusinessEurope Request Quick, Perennial Safe Harbor Fix
Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?
Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?
CJEU Declares the EU Commission Safe Harbor Decision Invalid
Advocate General Bot Proposes That CJEU Declare the Safe Harbor Invalid
European Hearing on the Future of Safe Harbor