left-caret

PH Privacy

EU-U.S. Safe Harbor Update: Agreement in Principle on Aspects of a New Framework

November 06, 2015

Mary-Elizabeth M. Hadley

In a speech earlier this week, European Justice Commissioner Vera Jourová announced that there was agreement “in principle” between the European Union (“EU”) and United States regarding components of a new safe harbor framework for transatlantic data flows. 

The urgency of reaching an amended agreement stems from the European Court of Justice’s (“ECJ”) landmark opinion earlier this month, overturning the European Commission's (“EC”) 15-year old decision that the privacy principles of the former U.S.-EU Safe Harbor Accord provide an adequate level of protection of the personal data of EU citizens.
According to Commissioner Jourová, the EC “immediately resumed discussions” with the United States to develop an enhanced safe harbor mechanism that will address the ECJ’s concerns, leading to some progress on several key issues.

  • With respect to the ECJ’s finding that a system based on self-certification requires “effective detection and supervision mechanisms,” for example, Commissioner Jourová noted that the United States has committed to stronger oversight by the Department of Commerce, enhanced cooperation with European data protection authorities and priority treatment of complaints by the Federal Trade Commission.  Accordingly, the system will be transformed from “purely self-regulatory” to “an oversight system that is more responsive as well as pro-active and back[ed] up by significant enforcement, including sanctions.”

  • In addition, recognizing the ECJ’s view that adequacy decisions are living documents, the EC is working with the United States to implement an annual joint review mechanism to “cover all aspects of the functioning of the new framework, including the use of exemptions for law enforcement and national security grounds, and that will include the relevant authorities from both sides” of the Atlantic. 

  • Some steps have also been taken to address the “the biggest challenge of the judgment” – when public authorities may intervene, including for reasons of law enforcement and national security.  Commissioner Jourová explained that the EC is diligently negotiating with the United States to ensure sufficient limits and safeguards exist to prevent generalized access or use of personal data and to guarantee “sufficient judicial control over such activities.”  She praised recent reforms such as the USA Freedom Act, which will alter the way U.S. agencies gather data and conduct surveillance, as well as President Obama’s Policy Directive 28 on amending the collection of signals intelligence.  Also significant to the Commissioner was the Judicial Redress Act, legislation which loyal blog readers will recall the U.S. House of Representatives passed last week and which would enable citizens of certain countries, such as those in the EU, to file suit against U.S. government agencies for certain Privacy Act violations.  Commissioner Jourová noted that the bill would soon reach the Senate floor and called on European lawmakers to engage with their counterparts in the United States on the issue.
    Recognizing businesses’ need for additional clarity while safe harbor negotiations continue, Commissioner Jourová also promised “an explanatory Communication on the consequences of the [ECJ’s] ruling setting out guidance on international data transfers.”  In the interim, we again leave you with Paul Hastings’ recent presentation, outlining ten options to consider in the wake of the ECJ’s decision and a promise to keep you updated.