Data Security

Safe Harbor 2.0? U.S. and EU Agree in Principle on Data Transfer Agreement

Published: Oct. 27, 2015

Updated: Oct. 05, 2020

The European Union announced that it has reached an agreement in principle with the U.S. to form a new data transfer agreement, following the CJEU’s invalidation of Safe Harbor. See our previous Safe Harbor blogs here and here. While this is good news, significant negotiations must occur before this “Safe Harbor 2.0” can become a reality.

European Commissioner Věra Jourová indicated negotiations between the United States and the EU for a new Safe Harbor agreement began immediately following the Schrems decision. According to Jourová, the Schrems decision created two hurdles for a new agreement and an understanding between the parties, which will form the basis for a new framework, addresses these issues.

First, the U.S. has to offer “safeguards which are ‘globally equivalent’ to the ones we have in Europe” in regards to data transfers. Self-certification is still acceptable, so long as there are effective detection and supervision mechanisms. To that end, the U.S. has committed to “stronger oversight by the Department of Commerce, stronger cooperation with European DPAs and priority treatment of complaints by the Federal Trade Commission.” These changes will result in greater oversight, enforcement, and the potential for sanctions.

Second, the Schrems decision was premised in part on the U.S. intelligence agencies’ abilities to acquire user data. Jourová admitted the biggest challenge to finalizing an agreement will be ensuring that there are “sufficient limitations and safeguards in place to prevent access or use of personal data on a ‘generalised basis’ and to ensure that there is sufficient judicial control over such activities.” Two recent actions by the United States apparently were critical to the success of the initial negotiations: 1) The passage of The USA Freedom Act, which creates new limitations on bulk data collection and increases transparency of the FISA Court; and 2) the issuance of Presidential Policy Directive 28, which requires intelligence agencies to establish policies and procedures for safeguarding personal information collected from signals intelligence activities.

The parties also agreed in principle to provide for an annual joint review mechanism for the new framework, including the usage of law enforcement and national security exemptions.

In making this announcement, the Commission reiterated it will “soon” issue an explanation of the consequences of the Schrems decision and set out guidance on international data transfers.

Reaching an agreement in principle is an important first step to the creation and adoption of Safe Harbor 2.0; however, significant additional negotiations will have to take place over the coming months before a new framework can be approved. Nonetheless, this development demonstrates that both U.S. and EU authorities recognize the importance of a Safe Harbor replacement after the Schrems decision and may provide companies some comfort that authorities are striving to reach a workable solution.