On February 2, 2016, the much-anticipated agreement between the EU Commission and the U.S. outlining the framework for the transfer of personal data was finalized. Following the invalidation of the Safe Harbour rules by the European Court of Justice (ECJ) on October 6, 2015, the Commission issued a new guidance on November 6, 2015. According to this guidance, such entities could resort to other mechanisms to ensure adequate and secure protection for the transfer of such data to the U.S., including model clauses that would ensure such protection. However, many companies were apprehensive of such alternative methods due to the cumbersome nature of such guarantees.
According to a press release issued by the Commission, the new EU-U.S. Privacy Shield reflects the requirements set out by the ECJ’s ruling back in October, obligating U.S. companies to protect personal data transferred from European companies. Increased cooperation with the European Data Protection Authorities as well stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC) are among the requirements agreed upon.
Moreover, an ombudsman designated specifically for trans-Atlantic transfer of personal data is to be appointed to handle inquiries and complaints that European citizens may submit. The elements of the agreement clearly indicate that the EU Commission handled the negotiations with a firm hand, especially since the agreement seems to be sprinkled with typical European principles such as transparency, increased cooperation and an appropriate forum for redress, among other things. As the name of the agreement suggests, this time around, there was more emphasis on privacy, an area of focus which is near and dear to the EU.
Ultimately, the EU-U.S. Privacy Shield has replaced the Safe Harbour Agreement, and consequently any transfer of personal data between the EU and the U.S. is regulated by the new agreement, which ensures that U.S. companies importing personal data from the EU “will need to commit to robust obligations on how personal data is processed and individuals rights guaranteed.” This signifies that the alternative mechanisms suggested by the Commission as a reaction to the ECJ ruling will no longer be necessary, thus alleviating most concerns regarding the transfer of personal data.