U.S. and EU Agreement on “Privacy Shield”: Impact on Relocation
In October of last year, it was widely reported that the European Court of Justice (“ECJ”) had struck down the transatlantic EU-U.S. Safe Harbor Framework. This is the arrangement that allowed U.S. companies to lawfully handle the personal information of European individuals. In response, Cartus immediately offered its clients the opportunity to enter into the EU Commission’s approved “Model Clauses,” which contractually obligate Cartus to provide the required rights to the European individuals. With the removal of Safe Harbor, the Model Clauses remained the primary means for Cartus to assure its EU clients and customers of safe data-handling procedures.
Shortly after the ECJ decision, the European Union and the U.S. Department of Commerce began work on what many were calling a new “Safe Harbor 2.0.” It was hoped that, when enacted, it would cover the handling by U.S. companies of the personal information of European citizens and furnish an additional option to the Model Clauses.
On February 2, the regulators announced that they had reached a framework for what they are going to call the “Privacy Shield.” The exact terms of the Privacy Shield have not yet been finalized and, as the saying goes, the devil will be in the details. It has been widely reported that the most recent negotiations between the European and U.S. parties have centered on several key issues:
- The creation of a methodology to protect the rights of EU citizens involving their personal data. Some have referred to this as the appointment of an independent ombudsman.
- Agreement on the application of the USA Patriot Act and its various law enforcement tools with respect to the personal data of EU citizens when that data is inside the U.S.
- A dispute resolution methodology for EU citizens who have complaints about U.S. companies.
- Commitments from the U.S. to make all of these measures binding with the power of law upon U.S. companies.
What Does this Mean for Your Relocation Program?
So, what we have here is an “agreement to agree” and little more … for now. It will be up to the EU regulators and representatives of the U.S. Department of Commerce to negotiate and come up with rules of the road that we can all follow. In the U.S., it is unclear whether the final requirement will be met via administrative rule or executive order, or whether it will have to be passed by the Congress and signed into legislation by the President. Obviously, none of this will be completed quickly; so it must be seen as the long-term plan.
What remained in flux was the short-term plan. On February 2, there was a meeting of a select group of European Data Protection Commissioners. This so-called “Article 29 Working Party” was reviewing the Privacy Shield announcement and was expected to announce the EU short-term position. There was some level of concern that the Article 29 Working Party might go as far as invalidating the Model Clauses (which some Europeans already have criticized as being insufficient), which would adversely impact many forms of international commerce. The very good news is that there is no news. The Article 29 Working Party confirmed that the Model Clause approach will remain fully valid pending further study. While that is cold comfort, it is significantly better than no comfort.
For more information, you can also read Worldwide ERC’s announcement on the EU-U.S. Data “Privacy Shield.”