The October 6, 2015, decision of the Court of Justice of the European Union in the Schrems v. Facebook case left significant uncertainty surrounding the legality and practicality of U.S. technology companies’ ability to process and use personal data received from the EU, in the absence of the Safe Harbor framework. Since that date, parties on both sides of the Atlantic have been waiting for clear guidance from U.S. and EU regulators on how to deal with data transfer between the EU and U.S. Pressure only mounted as the January 31st, 2016, deadline set by Europe’s national data protection authorities came and passed. But today, U.S. and EU regulators announced that they have come up with a new framework for transatlantic data flows, dubbed the EU-U.S. Privacy Shield.
Details and the actual text of the Privacy Shield agreement between the EU and U.S. were not immediately available, but regulators on both sides have confirmed that the parties have reached an agreement in principle that will allow for the continuation of an important mechanism for transatlantic data transfers outside of binding corporate rules and model contractual clause arrangements. As of now, only a few key elements of the Privacy Shield framework have been identified:
For now, these broad strokes are all that is known about the accord, as neither EU nor U.S. officials have provided details on when the final text may be released. The Department of Commerce has, however, indicated that it is planning to offer briefings regarding the Privacy Shield framework, and how it differs from the prior Safe Harbor framework.
The next major milestone is securing approval for the Privacy Shield framework. To do so, the European Commission will prepare a draft “adequacy decision” to present to the Article 29 Working Party and the Member States before the Privacy Shield framework can be approved and adopted. Commissioner Věra Jourová has indicated this process could take up to three months.
In the meantime, it remains to be seen what view the European data protection authorities will take with regards to current non-compliance with EU laws regarding data transfers. It would seem unlikely that regulators will aggressively bring enforcement actions given that the framework is still in a state of flux and a new Shield is imminent. However, companies should continue to evaluate ways to mitigate risk.