Skip to Main Content
Our Commitment to Diversity
Date: 3 February 2016
Public Policy and LawAlert
By: Bruce J. Heiman, Ignasi Guardans, Etienne Drouard, Michael J. O'Neil

The EU-US Privacy Shield: a New Deal on Personal Data Transfers

On February 2, two days after the deadline set by Europe for agreement on a new Safe Harbor governing US access to the personal data of European citizens, US and EU negotiators announced that they had agreed upon a framework for a new data sharing agreement, which will be called the EU-US Privacy Shield, to replace the Safe Harbor agreement struck down by the European Court of Justice on October 6, 2015. US companies adhering to the EU-US Privacy Shield, which has yet to be formally adopted by both the EU Commission and the US Department of Commerce, will be able to receive, store and use personal data from Europe according to its terms.

The key elements of the EU-US Privacy Shield, which aims to assure that US protections of European personal data will be essentially equivalent to that provided in Europe, will be:

  • Stronger obligations for US companies to process European data and the obligation for US companies to comply with decisions of European Data Protection Authorities.
  • US government monitoring of US company compliance, including a EU-US annual joint review of the agreement.
  • US government enforcement by the Federal Trade Commission.
  • Detailed US government commitments concerning limitations that will apply to US law enforcement and intelligence access to the European data, including a commitment that it will not be subjected to indiscriminate mass surveillance, to be overseen by a US Ombudsman appointed for this purpose with full powers to review and respond to complaints from EU citizen.
  • EU citizen rights to file complaints with the US Department of Commerce and the FTC, backed up by the right to an alternative dispute resolution mechanism.

Key guarantees undergirding the framework are set out in letters from the US to the European Commission signed by the White House and the US Director of National Intelligence. Those letters have not yet been made public.

While explicitly not required as an immediate condition of the agreement, the EU clearly hopes that the Judicial Redress legislation now under consideration in the Senate will pass soon.

Further Regulatory Steps

What will follow this announcement will be the development of a draft for adoption by the parties and, in Europe, its presentation to the EU Commission. On the US side, an implementation framework must be put into place, including the creation of the Ombudsman’s office and passage of the Judicial Redress Act. In both Europe and the US, there will be skeptics who question the solidity of US assurances, particularly as to law enforcement and intelligence access to European data, and whether the EU-US Privacy Shield is a step forward in privacy protection or simply a rehash of the now defunct Safe Harbor.

We expect that the agreement will be supported this Wednesday February 3 by the European Data Protection Authorities and adopted by the EU Commission and put into place.

Prepare Yourself Now

Legal challenges may follow in some EU countries, but they will take some time to perfect, since alternative dispute resolution and annual EU-US joint review mechanisms are provided as new alternatives to potential claims before the European Court of Justice. In the meantime, US companies will need to make any necessary adjustments in order to accede to the new EU-US Privacy Shield.

We can help ensure your successful adherence to and compliance with the new regime. Please contact anyone of the attorneys listed for further information or assistance.

Bruce J. Heiman
Bruce J. Heiman
Washington DC

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel