On Feb. 2, the United States and European Union announced a political agreement on the new U.S.-EU Privacy Shield, a data transfer arrangement that would replace the longstanding U.S.-EU Safe Harbor framework. Once the new Privacy Shield text is released, companies will be in a position to review the new standards they would be required to follow to ensure they are protecting EU citizens’ personal data in the United States to a degree that is “essentially equivalent” to data protections provided to EU citizens in the European Union.
The new Privacy Shield framework has been welcomed by the NAM, especially by those members that rely on cross-border data flows to operate their businesses on a global scale. However, there remains some uncertainty as the European Union seeks approval of the new arrangement in the coming months:
- One outstanding question is how long it will take for the new framework to become binding EU law. EU Commissioner Vĕra Jourová estimated in a Feb. 2 press conference that it could take three months for the new Privacy Shield framework to enter into force. Critical to the European Union’s review of the new framework will be opinions issued by the EU Article 29 Working Party (which represents regional data-protection authorities within EU member states) on whether the arrangement would adequately protect EU citizens’ personal data in the United States. The Article 29 Working Party expects to complete its review by the end of March. At some point thereafter, the EU Commission would draft an “adequacy decision,” which would then need to be adopted by the EU Commission and approved by the Article 31 Working Group (representing EU Member states) before it becomes law.
- A second question is whether other personal data transfer mechanisms, including EU Standard Contractual Clauses and Binding Corporate Rules, will remain viable alternatives after the Article 29 Working Party completes its review. Any gap between the end of March and entry into force of the new framework could be problematic for companies with a U.S. and EU presence which have depended on these alternative arrangements since the Safe Harbor Framework was nullified by the Court of Justice of the European Union (CJEU) in October.
- A third set of concerns is whether the Privacy Shield framework would be challenged at the CJEU once it becomes EU law, and how long a review by the CJEU would take. Any uncertainty surrounding the legality of the new framework could affect companies’ decisions on how to store data and could add costs to their operations.
Once the Privacy Shield text is released, the NAM will work closely with our members to assess the impact of the new framework and provide input on its implementation and transition mechanisms, while at the same time monitoring the EU approval process.