It appears that the European Commission and U.S. Department of Commerce have reached a deal on a new transatlantic safe harbor data transfer agreement.
My colleague Kevin Coy listened in to a press conference on the new deal, held by European Union (EU) officials, and here is a preliminary overview of what we can expect.
First, “Safe Harbor” appears to be out as a name, and “EU/US Privacy Shield” is in. Perhaps they had Captain Marvel on their minds.
Other points from the EU press conference:
- EU Commissioners blessed the deal today, but the official EU approval process is still necessary.
- The Justice Minister has advised the Chairwoman of the Article 29 working party of the agreement and will be briefing the Data Protection Authories (DPAs) tomorrow in person at their ongoing meeting in Brussels.
- It will take a few weeks for the EU to prepare an adequacy opinion on the new deal and for the U.S. Department of Commerce to finalize things on the US side.
- The EU Justice Commissioner estimates that it may take 3 months for the EU approval process to be completed.
- There will be annual reviews of the new framework, beginning next year.
- The US has made “binding” commitments about surveillance of EU citizens and an ombudsman is being established at the State Department to address national security complaints.
- There will be several avenues for handling disputes about company processing of personal data, with a binding arbitration process as a mechanism of last resort to ensure that all complaints are resolved.
- The Department of Commerce will have an enhanced role with respect to oversight and participating companies will be subject to regular reviews by Commerce.
- There will be increased transparency in the new program.
- Companies that fail to meet their obligations will face sanctions and can be removed from the program.
- There are enhanced onward transfer restrictions on transfers from participating companies to other parties.