The European Commission (EC) and U.S. Department of Commerce (DOC) announced today that they have replaced the invalidated U.S.-EU Safe Harbor framework with an updated transatlantic framework which adds several new layers of transparency and oversight.

Though the text of the agreement will not be available for a few weeks, both parties announced a number of high-level changes to the transatlantic pact, now called the EU-U.S. Privacy Shield (Privacy Shield), including:

  • Improved safeguards and transparency obligations regarding U.S. government access to data;
  • Annual review of the Privacy Shield by the EC and DOC to include input from the European Union (EU) member state data protection authorities (DPAs) and U.S. national security agencies;
  • An ombudsman in the U.S. State Department to handle referrals from EU DPAs regarding EU citizen complaints about national security data use;
  • Binding arbitration as a last resort for EU citizen data use complaints against a Privacy Shield certified company which are not resolved after the use of usual Safe Harbor dispute resolution mechanisms; and
  • Further subprocessor liability commitments for onward transfers.

The Article 29 Working Party (WP29), consisting of the DPAs of all 28 Member States, will discuss the Privacy Shield at their February 3 meeting. We will provide further information after the meeting. For further details regarding the new Privacy Shield and possible outcomes of the next stages of implementation, see our Client Alert on the new Privacy Shield.