"EU-US Privacy Shield" Instead of "Safe Harbor"

On 2 February 2016, the EU-Commission and the United States have agreed on new framework for transatlantic data flows: the "EU-US Privacy Shield". This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.

On 3 February 2016, the WP29 welcomed the "EU-U.S. Privacy Shield" and looks forward to receive the relevant documents in order to know precisely the content and the legal bindingness of the arrangement and to assess whether it can answer the wider concerns raised by Schrems judgment as regards international transfers of personal data.

Background

The EU-US Privacy Shield reflects the requirements set out by the Court of Justice of the European Union (CJEU) in its ruling on 6 October 2015, which declared the old Safe Harbor framework invalid.

Aim of EU-US Privacy Shield

The EU-US Privacy Shield will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.

The EU-US Privacy Shield includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access.

Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

Key Elements

The EU-US Privacy Shield will include the following elements:

• Strong obligations on companies handling Europeans' personal data and robust enforcement:
  U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.
  The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the FTC.
  In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.

• Clear safeguards and transparency obligations on U.S. government access:
  For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate.
  The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the EU-US Privacy Shield.
  To regularly monitor the functioning of the EU-US Privacy Shield there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.

• Effective protection of EU citizens' rights with several redress possibilities:
  Any EU citizen who considers that their data has been misused under the new arrangement will have several redress possibilities.
  Companies have deadlines to reply to complaints.
  European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission.
  In addition, Alternative Dispute resolution will be free of charge.
  For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

Next Steps

The College has today mandated Vice-President Ansip and Commissioner Jourová to prepare a draft "adequacy decision" in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States.

In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.

(ga)

"EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield", press release IP/16/216, 2 February 2016

"Speaking points by European Commission Vice-President Ansip, in charge of the Digital Single Market, at the press conference on the new framework for transatlantic data flows: the EU-US Privacy Shield", SPEECH/16/218, 2 February 2016

"Speaking points by Justice Commissioner Jourová at the press conference on the new framework for transatlantic data flows: the EU-US Privacy Shield", SPEECH/16/221, 2 February 2016

"Statement of the Art. 29 Working Party on the Consequences of the Schrems judgment", 3 February 2016