UPDATE: EU Commissioner for Justice made statements just before the agreement was approved indicating that not everyone has signed up for this agreement. Read Commissioner For Justice Vera Jourova’s comments here.
While the US and EU did not meet their targeted deadline of January 31st for coming up with a a replacement for Safe Harbor, they sort of came close. But, apparently, there are still a number of hurdles to jump through.
First, the US and the European Commission agreed on February 2nd to a new agreement called Privacy Shield to replace the 15+ year old Safe Harbor Agreement. However, they don’t have the final say on the agreement.
A next step is to get the Article 29 Working Party to agree to the agreement. WP29 is a group of all 28 EU Nation’s Data Protection Authorities. Their approval of this agreement is key to not having another court fight once this rule (if approved) goes into effect. That is expected to take about 3 months.
Next, the Data Protection Authorities need to agree on what they are going to do in the mean time. After the court struck down Safe Harbor, they agreed not to enforce the court ruling until January 31st so that the US and EU could come up with a replacement and so that they did not throw the thousands of businesses that used the Safe Harbor Agreement to transfer data between the US and EU into chaos. That deadline has passed. I speculate that they will extend the moratorium, but that is anyone’s guess.
And, there is always the court to contend with. Max Schrems could always go back to the court and say that this new agreement does not solve the problem.
Finally, the agreement requires the US to do certain things and my understanding is that those would have to happen before the agreement could go into effect. One requirement that WP29 has already said must happen is that the US must pass a law giving EU residents a right to sue in US court for breaches of any agreement. A bill to that affect is winding its way through Congress, but has not been passed by both Houses, reconciled or signed by the President.
While the diplomats may have signaled success by agreeing to the terms that they did, getting the 28 Data Protection Authorities to agree that these protections are sufficient is another matter.
While I have not seen the actual agreement, reports are that it calls for:
- Clear safeguards and transparency obligations on the part of US government access. I think this could be a challenge. While the US has given the EU written assurances that data access will be limited, whether the gang of 28 believes the US or not could be key to getting the agreement approved.
- Stronger obligations for US data importers to protect EU citizens’ data.
- EU citizens must have effective rights of redress. This includes requirements for the data importer to set up processes, the Federal Trade Commission to create a process for handling EU citizen complaints – something it has never done – and for the Intelligence Community to set up an independent ombudsman to address complaints of inappropriate access.
Some of these may require Congressional action – or not. In any case, what is clear is that this is not over yet and US companies should not breathe a sigh of relief. It is, however, a sign that progress is being made.
Information for this post came from the Data Protection Report.