The decision of the Court of Justice of the European Union (CJEU) to invalidate Safe Harbor in October 2015 sent shockwaves throughout the international business community. Safe Harbor was a certification mechanism that allowed personal data to be transferred across the Atlantic while guaranteeing that the personal data would be subject to the same protections as under EU law. More than 4,000 US based companies used this transfer mechanism. When the CJEU invalidated Safe Harbor, multinational companies were left wondering how they could now validly transfer employee information to their US affiliates.
After the announcement of the EU-US Privacy Shield on February 2, 2016, it now appears that a resolution may be on the horizon. However, before the Privacy Shield can be formally adopted, the EU's Article 29 Working Party, an independent advisory body on data protection and privacy, will examine the proposal in greater detail before making a final recommendation.
If the Privacy Shield becomes the framework that replaces Safe Harbor, American companies wanting to import personal data from the EU should expect to be subjected to heightened privacy and processing obligations and increased enforcement efforts. EU citizens would also have new avenues of redress for privacy violations against both EU and US companies under the Privacy Shield - including the right to bring a US company into binding arbitration.
The Bottom Line: While many questions remain regarding the practical implementation of the Privacy Shield, progress toward a final agreement is encouraging for multinational companies seeking guidance on transatlantic data transfers. Until the Privacy Shield is formally adopted, it is recommended that companies use either the Standard Contractual Clauses or (the less common) Binding Corporate Rules to establish the lawfulness of data transfers from the EU to the US. Companies should also be prepared, however, to revise their data privacy policies and procedures when the final parameters of the Privacy Shield are published.
If you have any questions regarding the status of the Privacy Shield or its requirements, please feel free to contact the authors of this Alert, Daniel Waldman, dwaldman@fordharrison.com, who is a partner in our New York and San Francisco offices, or Jesse Pauker, jpauker@fordharrison.com, who is a senior associate in our New York office. Both Dan and Jesse are members of FordHarrison's Global Employment Services Team, and worked closely with Claeys & Engels attorney Stephanie Raets in preparing this article. FordHarrison and Claeys & Engels are both members of Ius Laboris, the world's largest global labor and employment alliance. As such, our attorneys are uniquely situated to address issues that confront multinational businesses on a daily basis.