EU and USA. Euro flag and USA flag.

European Commission Vice-President Andrus Ansip and DG Justice Commissioner Věra Jourová jointly announced today that representatives of EU Member States have voted to approve the EU-U.S. Privacy Shield.  The Privacy Shield is the heavily negotiated framework for legitimizing transatlantic data flows that will replace the Safe Harbor arrangements, which were invalidated following a decision issued by the EU Court of Justice in October 2015.

The press release announcing the vote praised the Privacy Shield for ensuring “a high level of protection for individuals and legal certainty for business.”

Highlights of the Privacy Shield include:

  • the obligation for organizations handling EU personal data to comply with the more rigorous Privacy Shield rules applicable to transatlantic data flows;
  • written assurance by the U.S. Government that “the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms” while ruling out indiscriminate mass surveillance of European citizens’ data; and
  • protection of the fundamental rights of EU citizens through implementation of a number of accessible and affordable redress mechanisms, including through the newly created Ombudsman.

It is expected that the Privacy Shield will formally be approved by a decision of the European Commission early next week. A meeting of the EU Commission is scheduled to take place on Monday, and U.S. Secretary of Commerce Penny Pritzker is expected to visit Brussels on Tuesday.   Although many U.S. companies can now breathe a sigh of relief, many will find that the new rules and enforcement mechanisms established by the Privacy Shield documents present compliance challenges.  And the Privacy Shield arrangements, once approved, may be short-lived if, as expected, they are subject to litigation similar to the legal challenge that led to the invalidation of the Safe Harbor program.