Uncertainty looms for EU-US data transfers, despite announcement of deal

The European Court of Justice made headlines this fall when it struck down the 15-year old “Safe Harbor” agreement that had permitted the transfer of personal data between the E.U. and companies in the U.S. On February 2, 2016, representative of the European Commission and the United States announced an agreement to replace Safe Harbor with a new framework called “Privacy Shield.” The announcement, however, was light on specifics, and the Privacy Shield agreement is still subject to numerous approvals before going into effect. For the time being, the thousands of companies that had relied on the Safe Harbor framework to transfer personal information between the U.S. and the E.U. will remain in limbo.

As background, the European Commission’s 1998 Directive on Data Protection requires every E.U. member state to implement national laws regulating the processing of personal data relating to E.U. citizens, and prohibiting the transfer of personal data to countries whose laws do not contain what the E.U. deems “adequate” protections. From the E.U’s perspective, U.S. privacy law does not provide adequate protections. To address this problem, the U.S. and the E.U. developed the “Safe Harbor” framework, under which U.S. companies that self-certified that they adhered to seven privacy protection princples, were deemed to have adequate safeguards in place, permitting the transfer of personal data. This approach was approved in a 2000 decision by the European Commission known as the “Safe Harbor Decision”

This fall, the European Commission reversed the 2000 Safe Harbor Decision, specifically citing revelations of mass surveillance by the National Security Agency. As a result of that decision, companies that had self-certified compliance with the safe harbor framework could no longer rely on this as an assurance that they would not be investigated or subject to an enforcement action by the Data Protection Authorities of any of the E.U. member states.

Under intense pressure to negotiate a new agreement, the U.S. and E.U. negotiators have now announced the Privacy Shield Agreement, a cornerstone of which is written assurance from the United States regarding surveillance practices.

Despite the announcement of an agreement, however, private companies that transfer personal data between the U.S. and the E.U. remain in the dark about the specifics of what they need to do to avoid potential investigation, prosecution and fines from the many data protection agencies across Europe’s individual member states. The effect of the November ruling overturning the Safe Harbor Decision is that privacy enforcement is now the responsibility of these national entities, and it is difficult to predict how aggressively they may or may not act. At present, Privacy Shield is just an agreement to agree – the details are still being negotiated, and afterwards it will need to be approved. While the goal of an agreement is to provide certainty and predictability for businesses, this goal remains elusive, at least in the short term.