Whilst it may sound like some new deodorant designed to remove the smell left by the Snowden revelations and the Schrems judgement and to clean up transatlantic data flows, “EU-US Privacy Shield” is the new framework agreed between the EU and USA according to an announcement by the EU Commission yesterday (2 February 2016).
The purpose of the new framework is to protect “the fundamental rights of Europeans where their data is transferred to the United States” as well as ensuring legal certainty for businesses.
As we discussed at our recent seminar on Data Protection, 21 January 2016, the loss of Safe Harbor has created considerable business uncertainty, especially as to how the EU’s Data Protection Authorities (“DPAs”) would react following the expiry on 31 January of the Article 29 Working Party’s “moratorium” (the Article 29 Working Party comprises the heads of the EU members’ DPAs).
As EU Commissioner, Jourová, said in the EU press release:
“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.“
The arrangement will include:
- Strong obligations on businesses handling European’s personal data and robust enforcement
- Clear safeguards and transparency obligations on US government access
- Effective protection of EU citizens’ rights with several redress possibilities
So, US businesses importing personal data will need to commit to “robust obligations” on how they process that data and guarantee individuals’ rights. This will be monitored by the US Department of Commerce which will require publication of those commitments; enforceable by the US Federal Trade Commission.
Furthermore, any business handling human resources data from Europe must commit to comply with the decisions of European DPAs.
Alongside this, the US has given the EU assurances that the access to data of public authorities for national security and law enforcement will be made subject to clear limitations, safeguards and oversight. All of this will be reviewed annually by the EU Commission and US Department of Commerce.
… and for the EU citizen? Any EU citizen who feels their data has been misused will have several redress possibilities; there will be deadlines for businesses to reply to complaints and European DPAs will be able to refer complaints to the Department of Commerce and the US Federal Trade Commission. There will be a new US Ombudsman created to handle complaints on possible access by national intelligence authorities as well as a free dispute resolution process.
The Article 29 Working Party will review the proposed measures shortly.
As ever, with announcements of this nature, the devil will be in the detail and we await that; but, in the meantime, the US assurances especially as regards mass surveillance and of “policing” robust measures are extremely encouraging and this is very positive news for all involved in transatlantic data flows.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.