As previously noted, in response to the European Court of Justice ruling in Schrems v. Data Protection Commissioner (Case C-362/14) striking down as inadequate the so-called “safe harbor” agreement that existed for more than a decade, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. Described as the EU-U.S. “Privacy Shield” agreement, that framework has now been vetted by EU Member States, modified in certain respects, and formally adopted on July 12, 2016 by the European Commission.
Tagged: European Data
New “Privacy Shield” Agreement Seeks to Resurrect a Safe Harbor for EU-U.S. Data Transfers – Can it Succeed?
On February 2, 2016, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. It was appropriate that the announcement came on Groundhog Day, because we have been here before.
In 2006, responding to terrorist attacks in London and Madrid, the European Commission impelemented a data retention directive (the “Directive”) seeking to harmonize EU member states’ retention of certain electronic data that is generated or processed by providers of electronic communications services or public communications networks. The Directive requires, among other things, that Internet service providers retain details of network user communications and information necessary to identify particular users for at least six months and, in some cases, up to two years.
Nothing “Safe” About It: Companies That Falsely Certify Compliance with the U.S.- E.U Safe-Harbor Framework May Receive Years of Regulatory Oversight
In 2000, the European Commission and U.S. Department of Commerce developed the so-called “U.S.-E.U. Safe-Harbor Framework” as a way to foster data transfer between the United States and E.U. countries notwithstanding concerns that U.S. privacy laws do not offer the same level of protection as E.U. laws with respect to personally identifiable information. As part of the safe-harbor framework, companies that choose to enter the program must publicly declare compliance with the safe-harbor requirements, which include adherence to seven privacy principles touching on the areas of notice, access, data integrity, individual choice (opt in/out rules), security, third-party transfer, and enforcement. The principle of “enforcement” includes making sure that procedures are in place to verify a company’s adherence to the rules and a sanctions regime sufficient to ensure compliance.