• Print Page
  • Email Page
  • Share this page

United States and European Union Take Big Steps to Finalize New Data Transfer Frameworks

February 17, 2016

PDF Article PDF

February has seen major developments towards completing two data transfer agreements between the United States and the European Union. Representatives from U.S. and EU administrative bodies agreed to a framework to replace the invalidated EU-U.S. Safe Harbor, and Congress passed a bill key to the completion of a separate agreement to facilitate data transfers for European and U.S. law enforcement agencies.

On February 2, the European Commission announced an agreement with the United States Department of Commerce to create a new framework for the transfer of personal data of EU data subjects to U.S. businesses. The new framework, called the EU-U.S. Privacy Shield, attempts to address concerns cited by the European Court of Justice that caused it to invalidate the EU-U.S. Safe Harbor last October.

The Privacy Shield will require participating businesses to publicly make commitments to protect the personal data of European data subjects. Similar to the old Safe Harbor framework, the Department of Commerce and the Federal Trade Commission will enforce the Privacy Shield requirements. In addition to informal dispute resolution through the businesses, the Privacy Shield would also establish an external dispute resolution mechanism free of charge to EU data subjects. The framework will also allow European Data Protection Authorities to refer privacy complaints to the Federal Trade Commission.

The Privacy Shield incorporates new mechanisms to address the European Court of Justice's national security surveillance concerns. The U.S. will make binding written assurances that the processing of personal data for national security purposes is properly limited, and establish a State Department ombudsman to respond to inquiries and concerns about the Privacy Shield from European Data Protection Authorities and data subjects. The new framework will also include an annual U.S.-EU joint review to ensure compliance with program requirements by the intelligence community.

The Commission is expected to send a formal description of the agreement before the end of February to the Article 29 Working Party, a group comprised of the National Data Protection Authorities of the European Union member states. After the Working Party has commented on the Privacy Shield, and representatives from European Union member states approve the framework, the Commission will decide whether to formally approve the Privacy Shield. In the meantime, the Working Party will continue to honor other data transfer mechanisms such as Binding Corporate Rules and Model Contract Clauses.

While the European Union takes steps to finalize the Privacy Shield, Congress also took steps to facilitate data transfers by passing the Judicial Redress Act. The Act allows EU nationals to sue designated federal agencies for violations of the Privacy Act. Congress sent the bill to the President, who is expected to sign it. The Act is both a way to ease the process for completing the Privacy Shield, and a prerequisite to finalizing the EU-U.S. Umbrella Agreement, which places privacy requirements on transfers of personal information between the United States and the EU for law enforcement purposes. With these steps out of the way, both agreements are expected to be formally accepted within a few months.

For more information, please contact:

Robert McFarlane

415-995-5072 Direct Phone
415-541-9366 Fax

Email Attorney


COVID-19 Resource Center

Join Our Mailing List

Related Practices