New framework for international data transfers from the EU to the US

05 / 02 / 2016

On October 6, 2015 the Court of Justice of the European Union (CJEU) declared invalid the so-called Safe Harbor agreement, under which international transfers are made from the European Union to the United States. The European authorities consider that the United States does not offer an adequate level of protection for personal data. The decision left companies who share their data with the United States in a “legal limbo”, since it did not allow transfers to that country based on the safe harbor scheme, forcing them to look for another legal basis to transfer personal data.

The European Union and the United States had been negotiating for some time, even before the famous CJEU judgement, a framework for a “Safe Harbor 2”, with a view to improving the protection of EU citizens’ data across the Atlantic. However, the end of the conversations was still not in sight.

Following the CJEU judgment, the Spanish Data Protection Agency (AEPD), in coordination with the other European regulators, issued various press releases and asked companies transferring data to the US under safe harbor to come into line with the decision before January 29, the deadline agreed collectively in the EU. Complying with the judgment involved obtaining the unambiguous consent of each data subject (with the difficulties that this involves at companies who process the data of thousands of users) or obtaining the AEPD’s express authorization, following a lengthy and complex process in which the Agency, in accordance with the Personal Data Protection Organic Law (LOPD), has three months to issue a decision.

At the same time as companies were asked to come into line with the judgment, European agencies urged the EU and US representatives to end the negotiations on a new framework for transatlantic data flows as soon as possible.

On Monday February 1, the Justice Commissioner Vera Jourová addressed the European Parliament to provide an update on the talks and inform the members that an agreement had not been reached because certain key issues needed to be resolved. However, the next day, Tuesday February 2, 2016, the European Commission issued a press release indicating that the EU authorities, represented by the European Commission, and the US State Department, had finally agreed on a new framework for transatlantic data flows. A similar statement was published by the US Department of Commerce.

News of this agreement, called the “EU-US Privacy Shield”, came just two days after the date by which all the companies who act as data controllers in Spain and use Safe Harbor were required to come into line with the judgment using the alternative means available.

Little else has transpired following the European Commission’s press release, but the new scheme will undoubtedly force US businesses to adopt security measures that ensure the correct processing of personal data received from the EU and to undergo periodic reviews. Furthermore, citizens will undoubtedly be given the means to make direct claims against potential infringements of their rights.

Although this is encouraging news for companies that transfer data to the US—it is expected to simplify transatlantic data flows—the transitional period it leaves in its wake is ill-defined. The fact is that for the complete validity of the transfer framework agreement approved last February 2, the corresponding legal instruments specifying the scope of such agreement have yet to be adopted. For the time being the European regulatory authorities comprising the Article 29 Working Party have expressed the need for more information on the agreement in order to be able to give their opinion and verify whether it complies with the principles established by the CJEU in its judgment of October 6, 2015.