On 2 February 2016, the European Commission and the United States agreed on a new framework for transatlantic data flows. Instead of "Safe Harbor", the new agreement is called the "EU–US Privacy Shield". The EU member states and the European Parliament still need to approve the arrangement in the upcoming days.
The new framework should provide legal certainty to companies after the confusion caused by the Schrems ruling [see: Safe Harbour No Longer] of the Court of Justice of the European Union on 6 October 2015, in which the court declared the Commission's endorsement of the Safe Harbour arrangement invalid.
The new arrangement will impose more stringent obligations on US companies to protect the personal data of EU citizens. It will also impose stronger monitoring and enforcement obligations on the US Department of Commerce and Federal Trade Commission, for example, through increased co-operation with European data protection authorities.
The agreement includes the following provisions:
The implementation of the arrangement will be subject to annual joint reviews to monitor the functioning of the arrangement. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the United States and European data protection authorities to participate.
The day after the conclusion of the negotiations, on 3 February, the Article 29 Working Party, representing EU's data protection authorities, published its reaction to the agreement.
The Working Party welcomes the agreement and will now assess whether the arrangement is sufficient considering the right to respect for private life and data protection enshrined in European fundamental rights law. The Working Party will analyse the result of the negotiations in the light of the essential guarantees for intelligence activities elaborated in the jurisprudence of the European Court of Justice.
The European Commission will prepare a draft "adequacy decision" in the upcoming weeks, which could then be adopted by the College of Commissioners at the European Union after obtaining the advice of the Article 29 Working Party and after consulting representatives of the EU member states.
The United States, for its part, will make the necessary preparations to enforce the framework, monitoring mechanisms and the Ombudsperson.
Once found adequate by the Commission, the Privacy Shield agreement will provide a valid legal basis for transatlantic data flows, thereby removing the enforcement uncertainty currently facing European companies that have not switched from using the now-defunct Safe Harbour.
In welcoming the agreement, the Article 29 Working Party also confirmed that so-called standard contractual clauses and binding corporate rules can still be used for transferring personal data to US companies and services.
At the same time, however, the Working Party communicated that, once the full assessment of the Privacy Shield documentation has been carried out, it will provide an overall statement of validity on all methods of transferring personal data to the United States.
The last word has not been said on this subject, so stay tuned.