"Gute Beratung setzt einen verlässlichen Informationsfluss voraus. Als vertrauensvoller Partner schaffen wir mehr als nur durchgehende Kostentransparenz."
Newsletter Kanzlei Schiedermair


A few decades ago many - if not most - Americans still pooh-poohed data privacy. Data privacy was often thought of as just one more level of bureaucracy. This attitude prevailed even after the European Union’s issuance of the Data Privacy Directive in 1995. What eventually attracted Americans’ attention to data privacy were the data breaches that have occurred over the years in the United States – whether accidentally or through hackers – and the potential identity theft resulting therefrom. Alone in 2015 there were a number of cyberattacks in the United States, including of the health insurer Anthem, Inc., the U.S. Office of Personnel Management, the information service group Experian, United Airlines, and the IRS to name just a few. It is fair to say that Americans have put greater emphasis on data privacy over the past few years.

Despite the increased attention on data privacy, the United States is far from enacting a federal data privacy statute. Instead, the United States takes a sectoral, patchwork approach to data privacy by enacting only issue-specific data privacy statutes such as the Children’s Online Privacy Protection Act of 1998, the Federal Information Security Management Act of 2002 (FISMA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). State statutes can also play a significant role in data privacy.

Regardless, the European Union concluded in 1999 that the United States does not provide “adequate protection” for personal data as is required by Article 25 of the Data Privacy Directive 95/46 (that will presumably be superseded by the General Data Protection Regulation sometime in March or April of this year). To overcome this deficit, the United States and the European Union concluded the Safe Harbor Agreement in 2000 that permitted companies to transfer data to the United States as long as the respective company became self-certified under this regime and observed the principles set forth therein. Over 4,500 companies have since become self-certified under the Safe Harbor Agreement.

The European Union had seen safe harbor self-certifications with skeptism over the years because it believed that companies often became self-certified under the agreement, but failed to take sufficient action – if any at all – to ensure that they actually observed the associated principles. On October 6, 2015, the European Court of Justice (ECJ) held that the Safe Harbor Agreement was invalid. Specifically, the ECJ held the Safe Harbor Agreement to be invalid because (i) the U.S. National Security Agency (NSA) had access to data transferred to the United States, and (ii) there was no true structure in place for EU citizens to make privacy complaints to the United States in the event of a data privacy violation. As a result of this court decision, the Article 29 Working Party set a deadline of January 29, 2016, by which the European Union and the United States must reach an agreement on the acceptable transfer of data to the United States.

The two jurisdictions needed to reach an agreement quickly as a prohibition on transferring personal data to the United States was inconceivable. (Of course, companies may use other methods to transfer personal data from the European Union to the United States, most notably, standard contractual clauses, binding corporate rules, or consent, but each of these methods has its individual disadvantages.)

Through last-minute frantic wrangling between Washington and Brussels, the two jurisdictions reached an agreement on February 2, 2016, i.e., very shortly after the deadline had passed. Or did they?

Critics have stated that the “agreement” – called the “Privacy Shield” – is nothing more than an exchange of (unpublished) letters as to what the European Union and the United States  propose to do over the next few weeks. A February 2, 2016, press release of the European Union entitled “EU Commission and United States Agree on New Framework for Transatlantic Data Flows: EU-US Privacy Shield” states that only a “political agreement” was reached and that the College of Commissioners will consider an “adequacy decision in the coming weeks”. It quickly becomes clear that the European Union and the United States did not reach a legally binding agreement and that much is still in the air. This was subsequently confirmed by the February 3, 2016, Statement of the Article 29 Working Group in which it states that “[i]t looks forward to receiv[ing] the relevant documents in order to know precisely the content and the legal bindingness of the arrangement...“ and that “the Commission is to communicate all documents pertaining to the new arrangement by the end of February.”

One proposal put forth by the United States during the negotiations was to introduce an ombudsperson with whom EU citizens could file complaints regarding data privacy breaches. This proposal is now indeed part of the Privacy Shield as it applies to complaints about access to personal data by national security authorities. This ombudsperson is to be created by the U.S. State Department. It is still unclear as to who is to serve as the ombudsperson and his/her specific duties.

The four other primary aspects of the Privacy Shield are:

(i) A strong commitment from companies to observe robust obligations when processing or transferring personal data from the European Union;
(ii) Confirmation from the United States that it will no longer engage in indiscriminate mass surveillance; instead any surveillance will be subject to clear limitations, safeguards and oversight mechanisms;
(iii) Confirmation that the European Union will be able to refer complaints from EU data subjects to the U.S. Department of Commerce and the Federal Trade Commission; and
(iv) That there will be an annual joint review by the European Commission and the U.S. Department of Commerce with input from U.S. national security experts and EU data protection authorities.

A number of data privacy authorities had publicly stated that if the jurisdictions fail to reach an agreement by the beginning of February, the data privacy authorities would consider beginning to take enforcement actions against companies that relied on the invalid Safe Harbor Agreement to transfer data from the European Union to the United States. It now seems that, with the Privacy Shield announcement, the United States has at least bought itself a little bit of time (a month or two) to put something more concrete – and legally binding – into place with the European Union.

One point that remains entirely open is whether any eventual agreement between the European Union and the United States will be upheld by the ECJ once challenged. As Max Schrems – the Austrian who was the name plaintiff in the case invalidating the Safe Harbor – was quoted as saying: “There will certainly be people who will file an action against [the agreement] and, depending on what is set forth in the final text, I could very well be one of those people.”

Also, whether the U.S. Senate will enact the Judicial Redress Act and, if so, in what form, remains outstanding. The Act would have given EU citizens (and citizens of other countries) the right to file suit under the U.S. Privacy Act of 1974 if the U.S. government misused their personal data. The U.S. Senate Judiciary Committee, however, added a last-minute amendment to the Judicial Redress Act bill setting forth that jurisdictions would be “covered” only if “[(i)] the country or regional economic integration organization, or member country of such organization, permits the transfer of personal data for commercial purposes between the territory of that country or regional economic organization and the territory of the United States, through an agreement with the United States or otherwise; and [(ii)] the Attorney General has certified the policies regarding the transfer of personal data for commercial purposes do not materially impede the national security of the United States.” In essence, the U.S. government is setting forth that it may continue to have access to personal data being transferred from the European Union to the United States for national security reasons. This last-minute amendment complicated the matter considerably as this essentially flew in the face of one of the primary concerns of the European Union, i.e., that the U.S. government – whether the NSA or another governmental body – essentially has unfettered access to commercial personal data being transferred from the European Union to the United States. It remains to be seen how this open issue will be addressed.

Commercial entities are now in the unenviable position of not knowing what the European Union and the United States will ostensibly agree to within the next few weeks. Until this is resolved, companies are well-advised to rely on measures other than the Safe Harbor Agreement when transferring their data to the United States, such as concluding standard contractual clauses or gauging precisely how data security could be enhanced. The bottom line is that the difficulty the European Union and the United States are having to reach a legally-binding agreement reflects the fundamental difference in opinion between these jurisdictions as to how personal data is to be processed and transferred.

If you have questions on the foregoing, please contact one of the following:

Jörg Rehder (author)
Dr. Jörg Buschbaum (author)

Please note that the information contained in this newsletter is not meant to replace legal counsel. You should seek specific advice before taking any action with regard to the matters discussed above.