Legal insights and updates on the Safe Harbor Data Pact between U.S. and the E.U.
Insight February 12, 2016
EU and US DOT Strike Safe Harbor Data Pact, but Grace Period Still Expired.
Two days after the expiration of a deadline set by Europe’s data protection authorities to replace the recently-invalidated Safe Harbor mechanism, the European Commission and U.S. Department of Commerce announced a deal on a new transatlantic Safe Harbor data transfer pact - the so-called “EU-US Privacy Shield”. The decision is simply an agreement to agree. Official ratification is to be agreed by the EU Commissioners with the guidance of the Article 29 Working Party. Unfortunately, this is not the answer to the problems raised by the invalidation of the original Safe Harbor, especially considering that some of the strictest EU nations DPA’s have announced their willingness to take active steps to stop any personal data transfers which still rely on Safe Harbor. “We are watching closely for what the Article 29 Working Party will have to say on the matter,” says John Isaza, Records and Information Governance Partner at Rimon, PC. Rimon’s EU affiliate in Brussels, Carl Dotremont, adds that “For now, the only legal certainty we have is that transfers under Standard Contractual Clauses and previously approved Binding Corporate Rules should be safe until the Article 29 Working Party’s final decision in mid-late April 2016.” One of the proposed solutions under the EU-US Privacy Shield includes US appointment of an Ombudsman to oversee any EU data privacy complaints, which begs the question of who will stand up to the NSA in the event of a surveillance dispute, for instance.
Stay tuned for more updates as information continues to trickle in from the EU.
In the interim, please note that any grace period following the Court’s decision has in fact expired as of January 31, 2016. Therefore, appropriate and immediate action is recommended.