Leaving the (U.S.-EU Safe) Harbor, Taking Up an (EU-U.S.) Shield

Leaving the (U.S.-EU Safe) Harbor, Taking Up an (EU-U.S.) Shield

CM Blog Verska Shield 2216 158430_640While U.S. and EU authorities missed the January 16, 2016 deadline for replacement of the U.S.-EU Safe Harbor Framework declared invalid by the EU high court late last year, new hope for a substitute arrangement has dawned according to recent announcements from the EU. According to a press release by the European Commission today, a so-called “EU-U.S. Privacy Shield” program is now in development.

The program includes three key aspects:

  • Transparency and limits on access by U.S. law enforcement authorities to data of EU residents held by U.S. companies (“Shield Data”) under the Privacy Shield;
  • Robust and enforceable rules regarding the handling of Shield Data by U.S. companies; and
  • A range of redress options for EU residents with data privacy complaints, including deadlines for responses and creation of an U.S. ombudsman in the State Department for complaints regarding access by U.S. law enforcement authorities.

Those paying close attention may note that only the limits on U.S. law enforcement and the addition of a U.S. ombudsman are actually new. The other aspects were ostensibly part of the former Safe Harbor Framework, according to its own terms. In addition, from a U.S. legal perspective, the proposed limitations on U.S. law enforcement will be quite complex and time-consuming to secure, since they appear to require enforceable sign-off by a range of U.S. law enforcement agencies, including the National Security Agency, none of which are known for transparency in their operations, to say the least.

In my view, the upshot for U.S. companies hoping to quickly solve their data flow issues stemming from the death of the Safe Harbor appears to be continuing their work to legitimize their data flows, with the addition of contractual clauses that will permit substitution of the EU-U.S. Privacy Shield, once complete.

My bet is that we will know the two major candidates for U.S. President before the EU-US Privacy Shield proposal is fully accepted by all relevant actors in the EU as an adequate basis for the legal flow of EU personal data to the U.S. again.

By Kim Verska, CIPP/U.S.

The data privacy and security attorneys at Culhane Meadows are able to assist you and your company with your cross-border data flows. As the law firm that prides itself as being Big Law for the New Economy™, we offer lawyers trained by the top law firms in the country, working now in a low overhead environment, able to pass the efficiencies along to you, the client. For more information write to kverska@culhane.law, or dataprivacy@culhane.law.

This Blog/Web Site is made available by Culhane Meadows PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.