The European Commission has finally made the draft text of the EU-US Privacy Shield program available (scroll down in the press release for further links). The Privacy Shield program, which was agreed to in principle by US and EU negotiators nearly four weeks ago, will replace the Safe Harbor program that was struck down last autumn by the Court of Justice of the EU. However, Privacy Shield is not quite a done deal. The Commission is awaiting comments on the Privacy Shield program from the Article 29 Working Party, an advisory group that consists of members of the national data protection authorities.
Safe Harbor
Judicial Redress Act passes the House with the Senate Amendments
The amended Judicial Redress Act has passed the House and is on its way to the president to be signed into law. The Act, which we covered in an earlier blog post, gives citizens of foreign countries the same rights as US citizens in connection with the use by the US government of their personal data, subject to a determination by the Attorney General that the country in question cooperates with the US in sharing law enforcement information, doesn’t impede the flow of personal data to the US for commercial purposes, and meets certain other requirements. Essentially, the Judicial Redress Act helps assuage the EU’s concerns about government uses of personal data. The Judicial Redress Act is vital for the EU’s acceptance of the Umbrella Agreement for sharing of data by law enforcement agencies. It should be helpful for the proposed new “Privacy Shield,” which is currently under review by representatives of Europe’s national data protection agencies.
Amended version of Judicial Redress Act passes the Senate; now goes back to the House
The US Senate passed the amended version of the Judicial Redress Act on February 9. The amendments, which tie the Umbrella Agreement to Safe Harbor 2.0 (now dubbed the US-EU “Privacy Shield”), now go back to the House for approval. We discussed the amendments in an earlier blog looking at the intersection of security-related and commercial discussions between the US and EU.
Commission Press Release and FTC Fact Sheet outlines the new EU-US “Privacy Shield”
Update: The US Commerce Department has released a “fact sheet” on the new Privacy Shield agreement.
The European Commission has issued a press release that gives an outline of some key changes to the EU-US safe harbor, now dubbed the “Privacy Shield.” The new accord still needs to be reviewed by the Article 29 Working Party and the College of Commissioners, but assuming it remains substantially the same, we can expect the following: Continue Reading Commission Press Release and FTC Fact Sheet outlines the new EU-US “Privacy Shield”
Political Agreement Reached on US-EU Safe Harbor; Details “Hazy”
According to press reports, European Union and U.S. negotiators in Brussels finalized what is being called a “political agreement” on a new Safe Harbor transatlantic data transfer agreement. European Union justice commissioner Vera Jourová will present the agreement to the European Commission’s 28 commissioners today. Continue Reading Political Agreement Reached on US-EU Safe Harbor; Details “Hazy”
EU update: Safe Harbor 2.0 deadline passes without agreement; Art. 29 WP views on BCRs and model clauses expected tomorrow
No news is not good news this time. The January 31 deadline for getting a new Safe Harbor Agreement in place came and went last weekend. Commissioner Jourova, who is leading the Safe Harbor 2.0 negotiations for the EU, reported on the negotiation’s status last evening to LIBE, the European Parliament committee that oversees privacy matters. While reporting that substantial progress has been made, Jourova noted that the details of the redress mechanisms for EU persons are still under negotiation, along with a few other issues relating to the overall robustness of the new framework. The Article 29 Working Party (representing the 28 member states’ data protection authorities) meets today and tomorrow to discuss the post-Schrems legal landscape. The Working Party has said that they will also release the results of their consideration of whether the Schrems decision vitiates the model clauses and binding corporate rules. The model clauses and BCRs are particularly vital data transfer mechanisms, given the limited options available for transfers outside of the European Economic Area, so the Working Party’s opinions will be an extremely important indicator for the the uncertain future of EU to US data flows.
Running Aground in the Surveillance Safe Harbor – Podcast Available
If you would like to learn more about the politics and law behind the current Safe Harbor 2.0 negotiations, download the podcast of Running Aground in the Surveillance Safe Harbor, a teleforum hosted by the Federalist Society. The podcast features moderator Matthew R.A. Heiman, Vice President, Chief Compliance & Audit Officer, Tyco International; Stewart A. Baker, Partner, Steptoe & Johnson LLP and former Assistant Secretary for Policy at the Department of Homeland Security; and Susan Foster, a solicitor in England & Wales whose practice bridges the UK and US perspectives on data protection matters. Podcast made available through kind permission of the Federalist Society.
Tying it all together: Safe Harbor and Security-Related Data Flows
One of the fascinating aspects of the privacy-related negotiations between the EU and the US over the past couple of years has been the EU’s efforts to decouple trade (e.g, TTIP) and security-related negotiations from the Safe Harbor 2.0 negotiations. The US Senate’s Judiciary Committee pushed back firmly on that yesterday when it adopted amendments to the Judicial Redress Act, which the EU requires to be passed before it will sign the Umbrella Agreement between the US and EU relating to the sharing of crime-related information between law enforcement authorities. The basic aim of the Judicial Redress Act is to give EU citizens the same rights as US citizens under the United States’ Privacy Act of 1974. The European Commission has said a number of times that passage of the Judicial Redress Act was a step in the right direction for Safe Harbor 2.0 (without saying it was enough to fully address the Commission’s concerns). Continue Reading Tying it all together: Safe Harbor and Security-Related Data Flows
(So) What if there’s no Safe Harbor 2.0?
There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US. But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world. No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures). Only two of the countries are in the top twenty (Canada is in twelfth place). Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list. Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission). So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading (So) What if there’s no Safe Harbor 2.0?
The EU Commission’s spin on the new General Data Protection Regulation
The European Union Commission has issued a fact sheet on the new General Data Protection Regulation (final post-trilogue text available via Statewatch). The Commission claims that the Regulation is good for individuals and good for business. We’ll leave that to readers . . . and history . . . .to decide.
As regulations go, the GDPR is a page-turner, but if you don’t have time to read all 204 pages before the holidays, consider joining our webinar at 1 pm ET today. Registration is here.