EU-U.S. Privacy Shield: gray period for businesses


Following the European Court of Justice (ECJ) ruling that declared invalid the ‘Safe Harbor’ agreement for transatlantic data exchanges between the United States and the European Union, the European Commission announced on 2 February that the parties had – with delay – found agreement on a new framework: the EU-U.S. Privacy Shield. The invalidation of Safe Harbor has created legal uncertainty for the European digital economy by casting doubt over whether practices of data processing are breaching EU law. Moreover, the agreement reached on 2 February only means that negotiations have succeeded – uncertainties still remain since it has not yet been finalized.

Current State of Play on the EU-U.S Privacy Shield agreement

The agreement provides for a three-month period for the final deal to be worked out by EU and U.S. authorities. Therefore, the finalized agreement is expected to be adopted by the summer of this year. Until then, the current “hand-shake” agreement provides for no legal basis and businesses engaged in transatlantic data flows continue to operate in a legal gray zone.

European Commissioner Vera Jourová recently declared that the Commission is currently finalizing the legal texts of the agreement and plans to unveil a draft “adequacy decision” by the second half of February. However, the formal passing of the decision will be dependent on the Opinion of the Article 29 Working Party (WP29), a working group of Member States’ national data protection authorities, which has announced a statement for the end of March.

Consequently, a final and legally binding adoption of the EU-U.S. Privacy Shield is not expected before April 2016. It is assumed that this accelerated approach by the Commission can be traced back to a request under the Freedom of Information Act on 4 February by the Electronic Privacy Information Center, a U.S. privacy think-tank, with the U.S. Department of Commerce seeking the “immediate release” of the framework to the public.

Details of the new agreement

Besides its basis in the current Safe Harbor agreement, the new framework, according to Commission Vice-President Andrus Ansip, includes “robust and significant improvements”. Although specific details will be largely unknown until the presentation of the Commission’s adequacy decision, Ms. Jourová and Mr. Ansip have already announced the following key elements: 
• The U.S. government has given binding assurances to the EU regarding adequate restrictions on mass surveillance, effectively ruling out the mass surveillance of personal data transferred to the U.S. intelligence agencies. 
• The establishment of an annual joint review process to monitor the implementation of the agreement. 
• The establishment of an Ombudsman, designated to oversee privacy complaints from EU citizens, who will work from the U.S. State Department. 
• The adoption and implementation of the amended Judicial Redress Act by the United States Congress providing specific amendments covering European states.

Legal standpoint for businesses within the three-month “gray” period

Until a final agreement on the Privacy Shield framework, companies transferring data across the Atlantic continue to operate in a legal gray zone. Since the ECJ ruling, it is illegal for a business to transfer data to the United States under the Safe Harbor framework. However, they may continue transferring personal data under alternative legal means, such as binding corporate rules and standard contractual clauses.

Ecommerce Europe welcomes the signal sent by national data protection authorities that they would not yet initiate legal proceedings against companies transferring data but that they will wait for the outcome of the negotiations and final agreement. However, Ecommerce Europe believes that – under this temporary solution – businesses will continue to face legal uncertainty as they stand at the mercy of national data protection authorities, which may decide to pursue claims on an ad-hoc basis.

Next steps

The European Commission will provide the WP29 with all relevant documentation relating to the EU-U.S. Privacy Shield and will release its adequacy decision by the end of February. This adequacy decision will be legally binding for Member States and their data protection authorities until revoked or declared invalid by the European Court of Justice. Ecommerce Europe will analyze the text of the Privacy Shield agreement once it is finalized and published.

For more information see:

 Statement by the European Commission on the “EU-U.S. Privacy Shield”
• Statement of the Article 29 Working Party on the “EU-U.S. Privacy Shield” (PDF)
• FOIA request for the Privacy Shield framework (PDF)
• European Court of Justice Judgement on the Safe Harbor framework (PDF)