The U.S. Department of Commerce and the European Commission announced the Privacy Shield framework to replace the invalidated U.S-E.U. Safe Harbor Agreement, but the agreement has not yet been committed to paper.
The Safe Harbor Agreement between the United States and the European Union permitted the importation of personal data from the E.U. by American businesses that self-certified as complying with the E.U. data protection laws. However, the E.U. Court of Justice (EUCJ) ruled in its October 6, 2015 decision in Schrems v. Data Protection Commissioner (Case C-362/14), that the Safe Harbor failed to protect Europeans and invalidated the Safe Harbor. After the Safe Harbor was invalidated, businesses have been unsure how to legally continue to import data from the European Union to the United States.
The Privacy Shield is a new framework intended to govern the flow of data between the U.S. and the E.U. As of now, the details are still being worked out, but the negotiators involved in creating the Privacy Shield have outlined its broad principles. The Privacy Shield will have three main components: (1) new corporate obligations for U.S. businesses to commit to robust obligations on data processing, (2) granting E.U. citizens redress to challenge alleged misuse of their data, and (3) limitations on U.S. government access to personal data.
The Article 29 Working Party (Working Party) will need to approve the Privacy Shield before it can go forward. The Working Party is an independent and enforcement oriented advisory board composed of representatives of the national data protection authorities (DPA), the European Data Protection Supervisor (EDPS) and the European Commission. It expects to have the documents to review the new Privacy Shield by the end of February.
In the meantime, the Working Party has announced that the DPAs will not be enforcing actions until March or April against businesses that rely on the invalidated Safe Harbor while the details of how to proceed are still being worked out. The Working Party provided some assurances that during the period of review and assessment transfer mechanism such as the Standard Contractual Clauses and Binding Corporate Rules (BCRs) can still be used to transfer personal data to the U.S. The Standard Contractual Clauses are form data transfer agreements approved by the European Commission, and BCRs are internal data processing rules binding on all members of a global corporate group to permit intragroup transfers of personal data.
However, virtually all transfers of E.U. personal data to the U.S. are still at risk as there is no guarantee of how things will shape out during this critical interim time. Thus, until the Privacy Shield is finalized, much uncertainty regarding the transfer of personal data from the European Union still exists.