The European Commission announced yesterday that the EU and the U.S. have agreed to a deal to allow U.S. businesses to transfer personal data to and from the EU. The so-called EU-US Privacy Shield was drafted to reflect the requirements set out in the European Court of Justice's October ruling in the Schrems case, which declared that the existing Safe Harbor agreement was invalid.

The European Commission's press release announcing the deal included the following summary of key provisions:

  • Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs [Data Protection Authorities].
  • Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
  • Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

According to media reports, the ombudsperson position will be created within the State Department.

The EU-US Privacy Shield must still be formally approved by EU member states, whose privacy regulators have been meeting on the issue this week. The Article 29 Working Party (WP29), which is composed of the various DPAs in the EU, today issued a statement welcoming the agreement. Nevertheless, the WP29 stated that because it does not yet have access to the full text of the agreement, it remains cautious regarding the agreement's content and legally binding effect. The WP29 stated that it will conduct an in-depth analysis of the agreement to verify that it complies with the principles announced by the European Court of Justice in Schrems. The WP29 has requested that the European Commission send all documents pertaining to the agreement to the WP29 by the end of February.

If approved, the agreement could go into effect by April. The agreement is also expected to face legal challenges from privacy rights advocates.

The staff was careful to point out that directors are not expected to be involved in the day-to-day administration of a fund's distribution arrangements, and that they can rely on the adviser and other service providers to "affirmatively" provide information about servicing arrangements, including summary data about expenses and activities related to distribution.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.