On 2 February 2016, the European Commission announced with some delay an agreement with the United States on a new framework for transatlantic data flows called the EU-US Privacy Shield. The new regime is based on: (a) strong obligations for companies handling Europeans` personal data and firm application; (b) clear guarantees and transparency obligations for U.S. government access; (c) effective protection of the rights of EU citizens, with several options for redress (including a mediator). On 19 January 2016, the US Chamber of Commerce issued a letter to President Obama, the Presidents of the European Commission and the Council, and the leaders of the 28 Member States of the European Union, in collaboration with BUSINESSEUROPE, DIGITALEUROPE and the Information Industry Council, in which they stressed the urgent need to reach agreement on a new secure data transfer mechanism and to ensure long-term security for companies of all sizes, which depend on the flow of data and information in the Atlantic. On 6 October 2015, the European Court of Justice issued a judgment declaring the European Commission`s 2000/520/EC decision of 26 July 2000 « regarding the adequacy of the protection of safe harbor principles and the frequently asked questions by the US Department of Commerce » « invalid ». Under this decision, the US and EU Safe Harbor framework is not a valid mechanism for meeting EU data protection requirements when transferring personal data from the European Union to the Us. In a non-binding preliminary opinion last month, the Court`s General Counsel, Yves Bot, went far beyond the court issue and said that data protection authorities should investigate not only complaints, but also the fact that the Safe Harbor Agreement was not valid because it offered insufficient protection. EU law requires companies that export citizens` personal data to do so only in countries with a similar level of legal protection for such data. In the case of the United States, the exchange of personal data is covered by the Safe Harbor Privacy Principles, which the European Commission described as adequate protection in July 2000.
Companies that refer to the Safe Harbor Agreement to transfer personal data from the EU to the US could now engage in illegal activities. On 8 September 2015, the European Commission publishes a brochure on frequently asked questions about the Umbrella Agreement, which aims to establish a high-level data protection framework for EU-US law enforcement cooperation. The agreement includes all personal data exchanged between the EU and the US and the necessary security measures for the prevention, detection, investigation and prosecution of criminal offences, including terrorism. On January 25, 2016, the Electronic Privacy Information Center (EPIC) finally succeeded in forcing the U.S. Department of Justice (DOJ) to publish the entire text of the EU-U.S. agreement. EPIC sued the DOJ last year after the Agency failed to respond to EPIC Freedom of Information Act`s request for the secret agreement.