Privacy & Cybersecurity Law Blog

On February 1, 2016, Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, told the European Parliament that an agreement on a new U.S.-EU Safe Harbor agreement has not yet been reached. Jourová indicated that an agreement is close, but additional work is needed to finalize it.

In her message to Parliament, Jourová indicated that any new Safe Harbor agreement would have to be fundamentally different from the original agreement and must be continually reviewed. She also indicated that any new agreement must also be able to withstand potential new legal challenges and provide businesses with legal certainty regarding their ability to transfer data to the U.S.

In addition, Jourová laid out four key issues that need to be addressed:

1. Limits and Safeguards for Accessing Data – Access to data for national security purposes in the U.S. must be limited to what is strictly necessary and proportionate, and must not entail indiscriminate mass surveillance of EU citizens. The U.S. needs to provide specific written assurance regarding these issues, and any new agreement will need to put in place an annual joint review of these issues.
2. Oversight and Redress – There needs to be independent oversight of adherence to any new agreement, and redress for EU citizens who feel that their data has been used for wrongful purposes. An ombudsperson must be put in place who can respond to individuals’ complaints with respect to overreach by national security authorities.
3. Resolution of Individual Complaints – Companies should resolve individuals’ complaints regarding potential privacy violations. If a company cannot resolve the complaint, a third party, such as the Federal Trade Commission or another data protection authority (“DPA”), should resolve it free of charge. If such third parties cannot resolve the complaint, a last-resort mechanism must be put in place to ensure that all complaints are heard.
4. Binding Commitment by the U.S. – The U.S.’s commitment to any new agreement must be formal and binding, and published in the Federal Register. Because the agreement will not technically be an international agreement, signatures at the highest level will be needed.

As we previously reported, the Article 29 Working Party announced in October 2015 that if no Safe Harbor agreement is reached by the end of January 2016, the individual national DPAs may decide to take coordinated enforcement actions against companies that continue to rely on the invalidated Safe Harbor agreement to transfer data. The Article 29 Working Party will meet in the coming days to discuss the ongoing negotiations and next steps.