English Español Italiano 한국어

Zuber Lawler & Del Duca

Strategic Legal Solutions for Visionary Clients


New Safe Harbor for EU-US Data Transfer

August 4, 2016

In October 2015, the European Union (EU) Court of Justice invalidated the Safe Harbor Framework Agreement that for a decade had defined the safe harbor to transfer personal data between the US and the EU. The Court validated Austrian privacy advocate Max Schrem’s complaint against Facebook that transfer of his personal data from an Irish subsidiary to servers in the US violated EU privacy principles.

In July 2016, the EU Commission and the US Department of Commerce agreed a new Privacy Shield, again defining a safe harbor to resume trans Atlantic transfer of personal data for payroll, human resources, health and marketing purposes. Like its predecessor, the new agreement contemplates qualification for the safe harbor of US based organizations subject to Department of Commerce, Federal Trade Commission or Department of Transportation regulation, through annual self-certification to the US Department of Commerce that transfer of personal data collected in the EU complies with Privacy Shield principles and terms.

The EU Court of Justice is likely to review the conformity of the Privacy Shield with personal data processing principles of EU law such as transparency, legitimate purpose, proportionality, data minimization, accuracy, storage limitation, and accountability, notably as set forth in the EU Data Protection Directive 95/46/EC. Indeed, Mr. Schrems has declared his interest in provoking such review. On April 2016, the US Supreme Court increased European concerns about US governmental collection of personal data, and hence the likelihood of review, by modifying Federal Rule of Criminal Procedure 41 to broaden the ability of federal judges to issue warrants remotely to search computers and to collect information even outside the judge’s territorial jurisdiction. This modification will take effect December 1, 2016 absent Congressional action. Notwithstanding the prospect of controversy, European privacy advocates note favorably the ability of Europeans to assert their privacy rights in the American courts, pursuant to the recent adoption of the US Judicial Redress Act.

Key Features:

  • 1.  Notice. A self-certifying organization, whether data controller or processor, must notify the relevant governmental authority of its commitment to the Privacy Shield principles and implement the required elements in its privacy policy. Such elements include, among others, accountability on transfer of data to third party organizations, and the concerned individual’s right to request free-of-charge investigation and resolution of complaints.

  • 2.  Choice. Clear, conspicuous, and readily available options for Europeans to consent to transfer of data, including to decline consent to share information, e.g. pertaining to health, race, political affiliation or religion.

  • 3.  Enforcement & Liability. Self-certifying businesses must consent to binding arbitration to resolve alleged violations of Privacy Shield rules. US businesses must also provide independent mechanisms to investigate and resolve Europeans’ complaints. Further, the Federal Trade Commission may impose an administrative order upon US businesses to enforce compliance in cross Atlantic data transfers.

  • 4.  Technical and Organizational Measures. Businesses must implement measures to provide security adequate to the risk involved. Adherence to an approved code of conduct or certification mechanism may demonstrate compliance with the requirement.
  • Relevance to the UK post Brexit

    Until any formal withdrawal of the UK (unlikely to occur for some years), EU law, including the Privacy Shield, applies. Post withdrawal, the UK Information Commissioner’s Office would likely seek to negotiate arrangements similar to the Privacy Shield.

    What Should Companies Do?

    Early self-certification consonant with the new EU-US Privacy Shield may mitigate risks of liability associated with complaints of Europeans, the consequences of which could extend to having to return or delete Europeans’ personal data and to pay damages, as well as injury to reputation.

    Our team welcomes opportunities to discuss how we might assist to:


  • 1.  Self-certify under the EU-US Privacy Shield,
  • 2.  Conduct internal gap analysis and review data privacy management policy and practices consonant with notice and choice requirements, and
  • 3.  Assist in binding arbitration or enforcement actions before federal authorities.
  • About Zuber Lawler & Del Duca LLP

    Zuber Lawler & Del Duca represents clients throughout the world from offices in Los Angeles, New York and San Jose, including Fortune 500 companies, funds and government entities. The firm offers expert legal representation in corporate, finance, intellectual property, M&A, litigation, and regulatory matters; frequently with an international dimension focused on Asia, Europe or Latin America.

    This update is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or of Zuber Lawler & Del Duca LLP (ZLD). Nothing in this update is to be considered as creating an attorney-client relationship between the reader and ZLD.