U.S. and EU Negotiating New Data Transfer Agreement to Replace Invalid Safe Harbor

By John Sander, © Jackson Lewis Jan 14, 2016

The United States and the European Union are negotiating a new data transfer agreement to replace the “Safe Harbor” agreement that the European Court of Justice invalidated in Schrems v. Data Protection Commissioner. The Article 29 Working Party (comprised of representatives of European Data Protection Authorities (DPAs) and the European Commission) has given negotiators until Jan. 31, 2016, to create a new cross-border data sharing framework, after which the DPA’s may begin to take enforcement action against companies who do not have a transfer mechanism in place that complies with the EU’s privacy laws and regulations.


In Schrems v. Data Protection Commissioner, Maximillian Schrems, an Austrian national, filed a complaint with the Irish Data Protection Commissioner (Irish DPC) asking it to prohibit Facebook Ireland Ltd. from transferring his personal data to Facebook Inc. in the United States. Schrems asserted that U.S. law and practice did not ensure “adequate protection” -- the key measure of privacy protection under the EU Directive 95/46 -- of his personal data, based in part on the revelations made by Edward Snowden regarding surveillance activities by U.S. intelligence services. The Irish DPC rejected Schrems’ complaint as unfounded because there was no evidence that his personal data had been accessed. Further, the Irish DPC determined that the Safe Harbor agreement provided that an adequate level of protection existed for any personal data transferred to the U.S. Schrems challenged the ruling before the European Court of Justice.

The European high court struck down the Safe Harbor agreement, in part, because the U.S. government retains the right to access data in the U.S. for national security and law enforcement purposes and does not permit EU citizens to make complaints regarding the misuse of their personal data. The decision authorizes each DPA to consider individual claims asserting that the transfer of personal data from the EU to other countries violates EU privacy laws.

Negotiations for New Safe Harbor Agreement

Prior to, and now with increased urgency following the decision, U.S. and EU negotiators have been negotiating to develop solutions enabling data transfers to the U.S., while protecting the personal data of European citizens from perceived “massive and indiscriminate surveillance.” To address the high court’s concerns that EU citizens have no avenues for redress regarding any misuse of personal data, the negotiators are examining ways to provide mechanisms for EU citizens to make complaints directly to the national DPAs. Under the Safe Harbor, a similar procedure existed for complaints regarding human resources data, and U.S. companies handling such data were required to cooperate with DPAs regarding any complaints.

However, there are currently no complaint mechanisms in the U.S. to address claims by EU citizens regarding the misuse of their personal data. While the U.S. Federal Trade Commission monitors companies’ compliance with the Safe Harbor, it does not address individual complaints. The U.S. and EU negotiators have not yet reached an agreement regarding cooperation between the European privacy regulators and the FTC in the U.S. that would avoid giving the EU extraterritorial powers. Further, legislation passed by the U.S. House of Representatives, the “Judicial Redress Act of 2015” (H.R. 1428), which would provide citizens of certain foreign countries with the ability to bring suit in federal court for Privacy Act violations, has not been passed by the Senate.

If no agreement is reached between the U.S. and the EU, companies that previously relied on the Safe Harbor will need to develop alternate methods for complying with EU’s data privacy laws or be exposed to hefty non-compliance fines.

Next Steps for Companies

For those companies reliant on Safe Harbor as a mechanism to transfer employee data out of the EU, it is difficult to determine the path forward before the outcome of the current negotiations. In the meantime, it is prudent to assess the feasibility of other transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules, as well as other means of handling data which reduce the need to transfer out of the EU.

John Sander is an attorney in the New York City office of Jackson Lewis. Republished with permission. © 2016 Jackson Lewis. All rights reserved.


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect