On February 2, 2016 the European Commission announced that it had reached a preliminary agreement with US institutions on the upcoming Privacy Shield – the deal that will regulate the transfer of EU citizens’ personal data in lieu of the now-defunct Safe Harbor. The new framework is likely to be more burdensome for businesses than the previous one, given the stricter checks on compliance and the regular reviews to which they will be subject. This might be received as bad news by businesses; however, it cannot be considered surprising given the direction taken by EU institutions in protecting privacy in recent years.
A greater burden for businesses
Following lengthy and complicated negotiations, the European Commission has agreed a preliminary deal with US institutions to replace Safe Harbor, which was effectively struck down by the European Court of Justice (ECJ) in October 2015. The agreement ensures that US companies handling EU citizens’ personal data will be able to carry on doing so.
The new framework will be more burdensome than the previous one because it includes transparency obligations and regular checks on how companies handle the personal data they transfer to the US. In addition, there will be annual reviews of the functioning of the agreement. This is likely to provide an incentive for all parties to make it work in practice and should be an effective way to ensure that the framework remains up to date.
The details of the deal should come as no surprise to any of the stakeholders, given that a review of the Safe Harbor agreement was imminent even before the ECJ’s decision. The EC and member states’ national Data Protection Authorities have been much less tolerant of privacy breaches for several years now. The drafts that will be set out in the coming months will reveal the details of the deal’s dispute resolution and redress mechanisms, which are intended to ensure that EU citizens’ complaints can be handled properly if they fall victim of data breaches. However, we must now wait for US legislators to pass a judicial redress act as promised – something they should do soon if they have the interests of US tech companies at heart.
“Not much (yet) to celebrate for the EU on Data Protection Day,” TE0007-000981 (January 2016)
Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)
Luca Schiavoni, Senior Analyst, Regulation