In Offering Reassurances on Data Transfer Pact, EU Signals Increased Risks for US Companies

By Daniel L. Farris

Speaking at the Brookings Institute on Monday, EU Commissioner of Justice, Vera Jourova, sought to reassure the public that the US and EU would reach agreement on a new transatlantic data transfer pact – sometimes referred to as Safe Harbor 2.0 – in time for the end of January deadline set by EU DPAs.  In making her remarks, however, Commissioner Jourova provided US companies with subtle signals of what they can expect from privacy and data security regulators in 2016 and beyond.  

While praising the progress already made in negotiations, Commissioner Jourova highlighted the agreement by US officials to provide stronger oversight by the Department of Commerce, and more concerted efforts between EU DPAs and the FTC, which has authority to enforce the EU-US data transfer agreement.  “This will transform the system from a purely self-regulating one,” Jourova said, highlighting longstanding EU complaints about self-certification in the now invalidated Safe Harbor framework, “to an oversight system that is more responsive as well as proactive.”  

Unlike the invalidated Safe Harbor agreement, which stood without significant change for fifteen years, the new framework would include an annual joint review mechanism by which the US and EU will update and address concerns related to the functioning of the new framework, and address exemptions for law enforcement or upon national security grounds.  In other words, US companies should expect more fluid regulations, and compliance programs will have to account for the evolving nature of the data transfer framework.  

Commissioner Jourova similarly praised the USA Freedom Act, which will restrict broad NSA PRISM-type collection of personal data, as well as the Judicial Redress Act, which is currently in the Senate.  If enacted, the Judicial Redress Act would provide foreign citizens the right to bring law suits in the US for alleged privacy violations.  US companies should brace for increased oversight and regulatory enforcement, and should be using the current reprieve to implement and update privacy and data security compliance programs.  

If you or your company has questions or concerns about preparing for or responding to new privacy regulations, or you are interested in creating and/or implementing a cybersecurity plan, contact the author or a Polsinelli Privacy and Data Security team member.