WSGR ALERT

EU and U.S. Reach a Political Agreement on Transatlantic Data Transfer Deal

February 2, 2016

On February 2, 2016, the European Commission (EU Commission) announced that a political agreement on a new legal framework for data transfers has been reached between the European Union (EU) and the U.S.1 Today's agreement introduces the new "EU-U.S. Privacy Shield."

Although the details of the new agreement have not yet been released, this is a crucial step for thousands of businesses on both sides of the Atlantic engaged in transfers of data from the EU to the U.S.

Background

The EU-U.S. Safe Harbor Framework was invalidated by the Court of Justice of the European Union (CJEU) on October 6, 2015, in its groundbreaking judgment in Maximillian Schrems v. Data Protection Commissioner.2 More background on the Safe Harbor Framework and Schrems can be found here.

Following Schrems, the body of EU privacy regulators ("Working Party 29") issued a statement urging U.S. and EU negotiators to reach a new agreement by the end of January 2016.3 Since then, companies have been rushing to implement alternative mechanisms to cover data transfers to the U.S. The situation has been in flux and has triggered a high level of uncertainty for companies doing business in the EU.

Key Points of the Agreement

The details of the new agreement have not been released yet. However, according to the EU Commission, the key points of the political agreement are the following:

  • Increased transparency obligations: Governmental and law enforcement bodies in the U.S. will be subject to clear limitations, safeguards, and oversight mechanisms when accessing data of EU citizens. The U.S. will not subject EU personal data to indiscriminate mass surveillance in the U.S.
  • Enhanced enforcement obligations: U.S. companies that join the program and receive personal data from the EU will be subject to obligations that guarantee individual rights. Compliance will be monitored by the U.S. Department of Commerce and the Federal Trade Commission (FTC). A joint annual review will track compliance with these obligations.
  • New redress mechanisms for EU individuals: Dispute resolution will be available to EU individuals and companies will be subject to deadlines to reply to complaints. EU privacy regulators will be able to refer complaints to the Department of Commerce and the FTC, and these agencies will be required to respond to the complaint within a reasonable period of time. For complaints regarding access to data by national intelligence authorities, a new ombudsperson position will be created.

Next Steps

The formal text of the agreement will likely take several weeks to be published. The new agreement will need to be officially recognized at the EU level via an adequacy decision of the EU Commission. According to the EU Commission, this decision will take at least three months. Of course, the new agreement will likely be challenged and will have to pass the test created by the CJEU in Schrems.

The Working Party 29 is meeting today and tomorrow to consider its formal position regarding this new political agreement, as well as data transfer between the EU and the U.S. in general. The WP29 expects to announce its position during a press conference tomorrow, Wednesday, February 3, 2016. The WP29 position will have a significant impact on data transfers between the EU and the U.S., including on existing data transfer mechanisms such as standard contractual clauses and binding corporate rules and the new EU-U.S. Privacy Shield.

We will continue to closely monitor developments related to EU-U.S. data transfers and will update you on any significant decisions of the Working Party 29.

Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws globally, along with advising clients on EU privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Michael Rubin, Chris Olsen, or another member of the firm's privacy and data protection practice.

Sarah Cadiot, Sára G. Hoffman, and Laura De Boel contributed to the preparation of this WSGR Alert.


2 See the CJEU Judgment, delivered on October 6, 2015, in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner (request for a preliminary ruling from the High Court (Ireland)), available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=1&part=1&mode=req&docid=169195&occ=first&dir=&cid=111628.