February 2nd the European Commission and the Department of Commerce announced that they have reached an agreement on a new framework to replace the EU US Safe Harbor Program. The European Court of Justice (ECJ) found the existing Safe Harbor program to be inadequate for transferring personal information from the European Union (EU) to the US last October and European data protection authorities (DPAs) had threatened coordinated enforcement actions if a new agreement was not reached by the end of January. The agreement announced February 2nd represents over two-years of negotiations between the EU and the US; negotiations which took on particular urgency after October’s ECJ opinion.
The new program has been named the “EU US Privacy Shield.” The text of the new agreement, which is expected to take the form of an exchange of letters between senior EU and US officials, has not yet been released and a specific date for release of the text has not yet been announced. Since the text of the new agreement has not yet been released, many of the details are still unclear. Among the details yet to be disclosed: What changes will participating companies have to make to their privacy policies? What new obligations will companies have to undertake to participate in the new program? What will the enhanced oversight roles for the Department of Commerce and the Federal Trade Commission mean in practice for participating companies? What will be the operational impact of changes to the Onward Transfer principle? How will the new consumer redress options work in practice?
There will be continuing developments in this area in the coming weeks and months, as the new agreement works its way through the EU approval process. U.S. companies that receive personal data from organizations or individuals in the EU member states and other participating countries will need to evaluate the new agreement and its requirements to assess whether to participate. Companies that choose to participate will need to develop compliance programs to meet the enhanced requirements of the new program, once they are released. At this time, all indications are that it remains a voluntary, self-certification program.
While the text of the new agreement has not yet been released, some details about the new program, which may take several months to fully implement, have been announced:
- EU Commissioners blessed the deal February 2nd, but the official EU approval process is still necessary. The EU Justice Commissioner estimates that it may take 3 months for the EU approval process to be completed.
- The EU Justice Commissioner briefed the EU DPAs on February 3rd, in person, in Brussels.
- There has been no official word yet on the transition process while the new program is being approved and implemented. The EU DPAs likely will have more to say about their short term transition expectations now that they have been fully briefed on the new deal and once they have seen text of the agreement.
- The Department of Commerce and the Federal Trade Commission will have enhanced roles in the new program. Participating companies will be subject to regular reviews by the Commerce Department.
- There will be annual EU/US reviews of the new framework as a whole, beginning next year to ensure that the program is operating effectively.
- The US has made “binding” commitments about surveillance of EU citizens and an ombudsman is being established at the State Department to address national security-related complaints. These complaints will be made through the EU member states.
- There are enhanced onward transfer restrictions on transfers from participating companies to other parties as well as other new obligations for participating companies, although details have not yet been published.
- There will be multiple avenues for handling disputes about company processing of personal data:
- Companies will still be able to seek to resolve complaints directly with consumers.
- The alternate dispute resolution process will continue to be an additional option for resolving third party complaints through organizations such as the Direct Marketing Association, the Better Business Bureau, TRUSTe and other similar channels.
- Commerce Secretary Pritzker is expected to form a special group within Commerce to handle complaints, in addition to other dispute resolution mechanisms.
- The EU DPAs are expected to continue to be involved in handling disputes involving human resources data, as they are under the current Safe Harbor program.
- The Federal Trade Commission will enforce Privacy Shield commitments. Chairwoman Ramirez issued a statement shortly after the announcement of new deal affirming that the Federal Trade Commission will make enforcement of the new framework a priority.
- Binding arbitration will serve as a dispute mechanism of “last resort” to ensure that all complaints are resolved. The arbitration process, which is expected to be voluntary for EU citizens, is believed to focus on specific-performance types of remedies. Appeal of arbitration decisions into the courts may occur in accordance with the Federal Arbitration Act, but the details of this part of the program are not yet clear.
- Companies that fail to meet their obligations under the new program will face sanctions and can be removed from the program.
While many details about the new arrangement are not yet known, some privacy advocates in the EU are already criticizing the new arrangement. A court challenge to the new arrangement certainly is possible, but EU and US officials both have expressed optimism that the new arrangement could survive an ECJ challenge. This will continue to be a developing issue as more details about the new agreement are released, EU DPAs and other EU stakeholders weigh in, and as the approval and implementation process moves forward.