You will probably be seeing reports that the European Union (EU) & the United States (US) agreed on a new mechanism to replace the old Safe Harbor, effectively titled the “Privacy Shield.”
The details are hazy and a formal written policy has not been released, but as far as I can glean, the new mechanism and requirements for American companies should not be all that different from those previously wanting to benefit from a self-certifying mechanism administered by the Federal Trade Commission (FTC). Under the previous regime, safe harbor and model clauses between an EU data controller and a US data processor/controller were merely a private affair: now, the US government becomes a third-party protector by including written guarantees limiting how the American intelligence agencies collect data on Europeans.
The whole framework has to be approved by the data protection regulators in the 28 member states. France and Germany have already expressed reservations. France’s privacy chief is also the chair of the Pan-European committee that will review the proposal, and her initial remarks indicate that she wants more significant undertakings from the US. An outspoken German member of parliament, who helped bring the General Data Protection Regulation (GDPR) into existence, has called the whole thing “a joke.” All of this leads me to believe that this issue is not going away anytime soon.
The future of intra-company, model clauses is still not clear at all and there has been little discussion about how these developments intersect with the new GDPR. In order to get a better grip on the future of intra-company agreements, I am attending a summit in Brussels on GDPR in two weeks. I will report to clients on what I learn.