Politicians in both the European Union and United States touted Tuesday’s agreement on a new “Privacy Shield” for EU-U.S. data transfers as a resolution to the data transfer quagmire that has faced companies since the EU-U.S. Safe Harbor was invalidated in October. While this new deal is a promising step in the right direction for companies that transfer data from the EU to the United States, there are still many questions about exactly what the requirements of the new Privacy Shield will be, how an American company can ensure compliance with those requirements and (perhaps most importantly) whether the European Court of Justice will validate the new rules.

Indeed, the deal heralded by politicians on both sides of the Atlantic appears to be only a high-level agreement—they expect to document the actual terms over the next few weeks (the Article 29 Working Party (WP29), the body made up of representatives of individual European Member States’ data protection authorities, has called for it to be fully documented by the end of February). Thus, we anticipate quite a bit more negotiation on the precise scope and language of the requirements. Meanwhile, WP29, which had been assessing data transfer mechanisms like standard contractual clauses and model contracts for possible flaws that would lead to enforcement actions, announced that it will not take enforcement actions based on its concerns about these mechanisms while it awaits the details of the new transfer deal.

For the moment, this is what we know about the primary elements of the Privacy Shield:

  • Increased monitoring and enforcement in the United States to be carried out by the Commerce Department and the Federal Trade Commission, including access for Europeans for judicial redress in the United States
  • Multiple channels for European data subjects to raise complaints about data misuse, including through the companies handling the data or through a newly created “privacy ombudsman for national security”
  • Commitments from the United States government about the increased safeguards and limitations to prevent access to transferred data by U.S. law enforcement and intelligence officials
  • Joint annual review of the Privacy Shield agreement

Again, though, it is by no means clear whether this new arrangement will meet with approval of European data protection authorities. Although WP29 has suspended enforcement for now, its leadership has expressed concerns about the enforceability of promises from the U.S. government (particularly the outgoing Obama administration) made only in an exchange of letters. And even if the data protection authorities approve, it is always possible that the Privacy Shield could be subject to a challenge in European courts by a concerned consumer—as was the Safe Harbor previously.

Assuming the Privacy Shield gets past these hurdles, it’s not yet clear as a practical matter what a company hoping to transfer EU data will need to do to comply. Presumably that will be spelled out more clearly when the full terms of the agreement are reduced to writing. Right now, most of the publicized details relate to additional restrictions and responsibilities imposed on the U.S. government. But, still, this is progress and we will continue to closely monitor the situation and report further as developments warrant.

 

Print:
TweetLikeEmailLinkedInGoogle Plus
Photo of Blaine C. Kimrey Blaine C. Kimrey

Blaine C. Kimrey is a Shareholder at Vedder Price, Chair of the Media & Entertainment Litigation practice group, and a member of the Privacy, CyberSecurity, & Media practice group.  A former journalist at two daily newspapers (the Austin American-Statesman and the Arkansas Democrat-Gazette), Mr. Kimrey is a trial lawyer who has dedicated more than 20 years to working for and defending media entities. Mr. Kimrey’s practice, however, extends well beyond media defense, focusing on a broad range of direct and class action litigation involving topics as diverse as privacy, consumer deception, intellectual property, entertainment, insurance, banking, real estate, civil rights, telecommunications, and mass catastrophes and torts.  Among other accolades, Mr. Kimrey is Chambers USA Band 2 rated for Media & Entertainment Litigation in the state of Illinois, is listed in Best Lawyers in America for Intellectual Property Litigation, and is AV-rated by Martindale-Hubbell.

Photo of Lisa M. Simonetti Lisa M. Simonetti

Lisa M. Simonetti is a Shareholder at Vedder Price and a member of the Litigation group. Ms. Simonetti focuses on the defense of complex litigation, including class actions, mass actions and regulatory investigations and enforcement actions. Ms. Simonetti represents a wide array of financial services companies, including credit card issuers, mortgage lenders, e-commerce companies, automotive finance companies, national banks, student lenders and savings and loan associations.

Photo of Bryan K. Clark Bryan K. Clark

Bryan K. Clark is an Associate at Vedder Price and a member of the Privacy, CyberSecurity & Media practice group.  He has an extensive media and privacy practice that includes privacy class action defense, mobile-marketing litigation, class action TCPA litigation, copyright litigation, right of publicity litigation, data breach response, FOIA issues, reporter’s privilege issues and prepublication review.