The European Commission announced Monday that it has reached a deal in principle with the United States on what is being called “Safe Harbor 2.0” – a new data sharing agreement to replace the Safe Harbor agreement invalidated by the EU Court of Justice earlier this month. The Commission’s announcement came on the same day that the German DPA issued a position paper declaring all remaining alternatives to Safe Harbor – including model contract clauses and Binding Corporate Rules – to no longer be viable means for transatlantic data transfer.
The announcement, however, came one day before the Senate passed the Cybersecurity Information Sharing Act (CISA). CISA is designed to encourage companies to share information on cyber-attacks by offering liability protections to companies that share information regarding cyberattacks with the federal government, specifically the Department of Homeland Security (DHS). Privacy advocates have criticized the bill as a surveillance, rather than a cyber-security measure, because DHS could easily share the information with other agencies, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).
Passage of CISA does not square well with comments made by EU Commissioner Vera Jourova at a speech before the EU civil liberties committee. Commissioner Jourova reiterated the European view that the American legal system must offer safeguards for data transfers that are “globally equivalent” to European ones.
Under the new agreement, concerns over transparency and enforcement would be remedied through stronger oversight by the U.S. Department of Commerce, including by greater cooperation with European DPAs and the referral of complaints to the Federal Trade Commission (FTC). “This will transform the system from a purely self-regulating one to an oversight system that is more responsive as well as proactive, and backed up by significant enforcement, including sanctions,” said Jourova.
Companies should expect more details to emerge as negotiations continue. The European Commission, acting through the recently convened Article 29 Working Party, has set a deadline of January 2016 for a new data transfer deal. Companies may have something of a reprieve until that time, but should be prepared to pivot and quickly adopt new policies and implement other tools to comply with any new data transfer agreement. If no deal is reached by January 2016, the Working Party has made clear that “EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
For assistance in understanding how these decisions may affect your company, of help auditing privacy and data security compliance programs, please contact the author or a Polsinelli Privacy and Data Security team member.