Despite privacy shield agreement, legal uncertainty remains for ­businesses transferring personal data

By Louis Dejoie and Thomas Markey McNees

On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated a Safe Harbor provision that allowed companies to transfer personal data from within the EU to the US, finding that the Safe Harbor failed to adequately protect EU citizens' privacy. The CJEU's ruling left many companies, which relied on the Safe Harbor to conduct business, in legal limbo. On February 2, 2016, in a step toward legal clarity for businesses and consumers, the EU and US agreed in principle to implement a new Privacy Shield.

The new Privacy Shield addresses several shortcomings that led to the Safe Harbor's invalidation. First, according to the European Commission's press release, before importing personal data from the EU, US companies must commit to "robust obligations on how personal data is processed and individual rights are guaranteed." Second, "the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms." Third, EU citizens will have redress procedures they can follow if they suspect their data has been misused.

Details regarding the Privacy Shield, however, remain sparse. The European Commission's next step is to prepare an "adequacy decision," and regulatory changes must occur in the US. Additionally, the Article 29 Working Party-a group of EU data regulators-will evaluate the Privacy Shield and has insisted on receiving all related documents by the end of February. As these events transpire, companies remain in a state of limbo in which they can rely on neither the invalid Safe Harbor nor the yet-to-be-implemented Privacy Shield.

After the Safe Harbor's invalidation, the primary methods for legalizing transatlantic data transfers became data protection clauses in contracts between data-sharing companies and binding, regulator-approved corporate rules for transfers between subsidiaries and/or parent companies. The Working Party indicated in a statement that regulators will continue to treat standard contractual clauses and binding corporate rules as legal data-transfer methods until the Working Party has time to fully analyze the Privacy Shield. The Working Party expects to complete its analysis in mid-April. The Working Party will also assess the continued legality of standard contractual clauses and binding corporate rules. Any companies relying on the Safe Harbor, however, may now be subject to enforcement actions, which regulators informally suspended until January 31, 2016.

In summary, announcement of the Privacy Shield has not resolved the legal uncertainty regarding EU-US data transfers. The Privacy Shield must be implemented on both sides of the Atlantic, and may face court challenges from privacy advocates who feel the new safeguards remain inadequate. Companies that regularly transfer data from the EU to the US should continue to monitor implementation of the Privacy Shield and the legal adequacy of standard contractual clauses and binding corporate resolutions in the future.

Published: Wed, Mar 02, 2016