"The Shield": Thoughts on the EU-US Data Privacy Shield

After months of unease for United States companies and their counsel alike, a deal has tentatively been reached by the United States and European Union to continue the flow of cross border data transfer from the European Union to the United States.

As of October 6, 2015, the European Court of Justice invalidated the Safe Harbor Framework in the decision Maximillian Schrems v. Data Protection Commissioner (Case C-362/14). The US-EU Safe Harbor program was a long-standing framework for companies engaging online and transacting data with European customers and users. The absence of the Safe Harbor left many companies scrambling to figure out the best methods to comply with the EU Data Privacy Directive, the EU’s privacy regulatory regime.

The upside of the Safe Harbor program was that it was a means for startup companies who wanted to expand to the European market to avail themselves of a more streamlined approach for privacy compliance in doing so. The cost of compliance through other means for a small company, using devices such as the Model Clauses, proves to be onerous and cost prohibitive in many instances.

Details remain to be hammered out, but the program, to be known as the EU-US Privacy Shield, still needs to be ratified. While the new program will allow companies to continue data transfer, the proposed Shield program has already been met with criticism, not surprisingly, from Max Schrems himself who tweeted,

SUMMARY on new #SafeHarbor: This is 100x more laughable than I would have ever expected from what @VeraJourova is presenting. Back to CJEU?!”

Even with the implementation of a new program, many United States companies, from established retailers to newer web and mobile applications, were not in compliance with the prior Safe Harbor program. If a company is transferring data to and from Europe, selling to European consumers or targeting that market, a hard look should be taken at what is required by companies under the EU Data Privacy Directive. A company finding itself in receipt of an inquiry from a European data protection authority, known as DPA’s, comes with legal and, sometimes, investment consequences.

Despite the likely availability in the coming month of the EU-US Privacy Shield program, companies should be aware that they are now dealing with a heightened awareness and regulatory environment in Europe when it comes to user data and privacy. The Safe Harbor debate is and will continue to remain emblematic of the struggle between protecting user privacy and allowing businesses to transact data in their everyday course of business.