On February 2, 2016, the European Commission announced that it
reached a deal to replace the EU-US Safe Harbour framework that was
declared invalid last year by the Court of
Justice of the European Union (CJEU). Referred to as the
"EU-US Privacy Shield", the new framework should provide
businesses with guidance for the safe transfer of personal
information of citizens of the European Union (EU) to the United
The CJEU declared the old Safe Harbour framework invalid on
October 6, 2015. Under the EU Data Protection Directive, the
personal information of EU citizens can only be transferred from
the EU to countries with adequate data protection standards. The
old Safe Harbour agreement, negotiated between the European
Commission and the United States Department of Commerce, was one of
a number of mechanisms available to EU businesses to ensure there
was an adequate level of protection when transferring personal data
of EU citizens to the United States. One of the CJEU's primary
concerns with the old framework was the massive and indiscriminate
surveillance of personal information of EU citizens in the United
States, which was viewed as incompatible with the "fundamental
rights" of EU citizens.
Regulators provided a grace period ending January 31, 2016
for the negotiation of a new agreement, during which European Data
Protection Agencies would not pursue penalties against businesses
improperly transferring personal information of EU citizens from
the EU to the United States.
Features of the New Framework
While the terms of the new agreement have not been settled, the
European Commission released some details of the EU-US Privacy
Obligations on businesses in the United States with
respect to personal information of EU citizens and enforcement
mechanisms: Similar to the original Safe Harbour,
businesses in the United States will need to commit to obligations
regarding how personal information will be processed and how
individual rights will be guaranteed. The Department of
Commerce will ensure that businesses publish their commitments and
the Federal Trade Commission will be enforce these
Transparency and safeguards relating to United States
government access: The United States government has given
assurances that personal information of EU citizens transferred to
the United States will not be subject to government mass
surveillance programs, and that access to such personal information
for law enforcement and national security purposes will be subject
to limitations, safeguards and oversight mechanisms.
Remedies: Companies operating under the new
framework will have deadlines to reply to complaints.
European data protection authorities may refer complaints to the
Department of Commerce and the Federal Trade Commission. Any
dispute resolution mechanisms offered under the EU-US Privacy
Shield will be free of charge. For complaints relating to
possible access by national intelligence authorities, EU citizens
may issue a complaint with a new dedicated ombudsperson based in
the United States.
The European Commission must prepare an adequacy decision to
approve the EU-US Privacy Shield as a valid data transfer mechanism
under the EU Data Protection Directive, which is expected to take
several weeks. Once prepared, the adequacy decision must be
adopted by the College of EU Commissioners after receiving and
considering the advice of the Article 29 Working Party.
Authorities in the United States will need to take various actions,
including establishing the ombudsperson and implementing monitoring
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Peerenboom v Marvel Entertainment (2016 NY Slip Op 31957(U)) is drama-driven case in which the New York County Supreme Court afforded Toronto businessman Harold Peerenboom the right to obtain the private emails...
The Supreme Court of Canada released a landmark decision today giving important guidance on how Canada's federal privacy law, the Personal Information Protection and Electronic Documents Act, should be interpreted.
The Ontario Superior Court of Justice recently approved a settlement agreement in the Lowanski v The Home Depot class action, a decision that highlights adequate protection and a sufficient response can significantly reduce the legal risks after a data breach.
The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the "EU Decision") raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).