On February 2, 2016, representatives of the European Commission and the United States agreed on a new framework for transatlantic data flows, referred to as the “EU-U.S. Privacy Shield.” This long awaited announcement follows the October 6, 2015, decision by the EU Court of Justice invalidating the EU-U.S. Safe Harbor agreement. While the full text of the EU-U.S. Privacy Shield agreement has not yet been officially released, the EU Commission press release explains that the arrangement’s main elements include:
- Companies that agree to the EU-U.S. Privacy Shield must abide by “robust obligations on how personal data is processed and individual rights are guaranteed.”
- Companies must also publish their commitments. The Department of Commerce will monitor those published commitments.
- Companies handling human resources data will be subject to decisions made by European Data Protection Authorities (“DPAs”).
- U.S. government access for law enforcement and national security will be subject to “clear limitations, safeguards and oversight management,” and the U.S. will not engage in “indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement.” The European Commission and the U.S. Department of Commerce will conduct annual joint reviews “to regularly monitor the functioning of the arrangement.”
- EU citizen’s who feel their data has been misused will have several redress possibilities, including:
- Companies that agree to the EU-U.S. Privacy Shield must reply to any complaints received by set deadlines.
- European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission.
- Alternative Dispute resolution will be available free of charge.
- Complaints and inquiries about access to personal data by national intelligence authorities will be referred to a newly created U.S. “Ombudsperson.”
U.S. Secretary of Commerce, Penny Pritzker, also issued a press release highlighting the importance of the EU-U.S. Privacy Shield: “This historic agreement is a major achievement for privacy and for businesses on both sides of the Atlantic. It provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online.”
In the coming weeks, European Commission Vice-President for the Digital Single Market, Andrus Ansip, and European Justice Commissioner, Vera Jourová, will prepare a draft "adequacy decision.” The decision then could be adopted by the College of Commissioners “after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States.” The U.S. will “make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.” At the press conference announcing the agreement, Commissioner Jourová said she expects the Privacy Shield agreement will be implemented in the next three months.
By Carolyn Krol