Safe Harbor 2.0: EU–US Privacy Shield
On 2 February 2016, the European Commission and the United States agreed on a new framework for transatlantic data flows. Instead of "Safe Harbor", the new agreement is called the "EU–US Privacy Shield". The EU member states and the European Parliament still need to approve the arrangement in the upcoming days.
The new framework should provide legal certainty to companies after the confusion caused by the Schrems ruling [see: Safe Harbour No Longer] of the Court of Justice of the European Union on 6 October 2015, in which the court declared the Commission's endorsement of the Safe Harbour arrangement invalid.
What was agreed?
The new arrangement will impose more stringent obligations on US companies to protect the personal data of EU citizens. It will also impose stronger monitoring and enforcement obligations on the US Department of Commerce and Federal Trade Commission, for example, through increased co-operation with European data protection authorities.
The agreement includes the following provisions:
- US companies that wish to receive personal data from the EU will be required to commit to stronger obligations on how personal data is processed and how individual rights are guaranteed.
- The US Department of Commerce will monitor companies who process EU data, thereby making their commitments enforceable by the US Federal Trade Commission under US law.
- US companies handling human resources data from the EU have to comply with decisions of European data protection authorities.
- Access of US law enforcement and national security authorities to personal data transferred under the Privacy Shield will be subject to clear limitations, safeguards and oversight. Exceptions are allowed only to the extent necessary and proportionate.
- Citizens who believe that their data has been misused under the new arrangement will have several redress possibilities. Alternative dispute resolution will be free of charge.
- Companies will be required to reply to complaints within a set timeframe.
- European data protection authorities will be able to refer complaints to the US Department of Commerce and the Federal Trade Commission.
- Complaints on possible access by national intelligence authorities will be referred to an Ombudsperson that will be created.
The implementation of the arrangement will be subject to annual joint reviews to monitor the functioning of the arrangement. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the United States and European data protection authorities to participate.
What happens next?
The day after the conclusion of the negotiations, on 3 February, the Article 29 Working Party, representing EU's data protection authorities, published its reaction to the agreement.
The Working Party welcomes the agreement and will now assess whether the arrangement is sufficient considering the right to respect for private life and data protection enshrined in European fundamental rights law. The Working Party will analyse the result of the negotiations in the light of the essential guarantees for intelligence activities elaborated in the jurisprudence of the European Court of Justice.
The European Commission will prepare a draft "adequacy decision" in the upcoming weeks, which could then be adopted by the College of Commissioners at the European Union after obtaining the advice of the Article 29 Working Party and after consulting representatives of the EU member states.
The United States, for its part, will make the necessary preparations to enforce the framework, monitoring mechanisms and the Ombudsperson.
Practical implications
Once found adequate by the Commission, the Privacy Shield agreement will provide a valid legal basis for transatlantic data flows, thereby removing the enforcement uncertainty currently facing European companies that have not switched from using the now-defunct Safe Harbour.
In welcoming the agreement, the Article 29 Working Party also confirmed that so-called standard contractual clauses and binding corporate rules can still be used for transferring personal data to US companies and services.
At the same time, however, the Working Party communicated that, once the full assessment of the Privacy Shield documentation has been carried out, it will provide an overall statement of validity on all methods of transferring personal data to the United States.
The last word has not been said on this subject, so stay tuned.