After two years of negotiations, the European Commission (EU Commission) and the US Government have agreed upon a new data flow framework to replace the “Safe Harbor” program, the legal basis for which was invalidated by the European Court of Justice in October 2015.
Key Elements of the Agreement
According to an EU Commission press release, the new EU-US Privacy Shield “will protect the fundamental rights of Europeans where their data is transferred to the United States.” The new agreement, which is still subject to an “adequacy” decision by the EU Commission, reportedly includes the following key provisions:
- US data importers signing up to the new program will be required to adhere to “robust obligations” regarding the processing of EU personal data. The US Department of Commerce (DOC) will monitor compliance, and data privacy and protection commitments relating to the processing of online and customer data will be enforceable by the US Federal Trade Commission. US companies processing EU human resources data pursuant to the new Privacy Shield arrangements will be required to comply with decisions of EU Data Protection Authorities (DPAs) at the member state level if any complaints arise.
- The US Government has provided written assurances that there will be clear limitations on access by US law enforcement and national security agencies to EU personal data that is transferred to the US pursuant to the new arrangements. These commitments will be monitored in annual reviews undertaken jointly by the EU Commission and the DOC. Intelligence experts from the US and EU DPAs will also be invited to participate in these reviews.
- An affordable and effective alternative dispute resolution mechanism will be established to resolve complaints brought by EU citizens relating to the processing of their personal data. Companies that participate in the Privacy Shield will be required to commit to offer binding mediation as a last resort to resolve complaints raised by EU citizens. Individual, specific remedies will be available under this last-resort, binding mediation. A newly- created Ombudsperson will handle EU complaints relating to access by intelligence authorities.
The College of EU Commissioners has directed Vice-President Andrus Ansip and Justice Commissioner Vĕra Jourová to proceed in the next two weeks to prepare a draft of the adequacy decision pursuant to which the EU Commission will approve the new Privacy Shield arrangements. Before taking this decision, the EU Commission will consult with the Article 29 Working Party (“WP29”) and EU member state representatives forming the so-called Article 31 Committee.
In the meantime, the US will appoint the new Ombudsperson and put in place the new framework and monitoring mechanisms agreed by the two sides.
The US approval process will be similar to that used to approve the Safe Harbor Framework in 2000, i.e., commitment letters from the relevant Departments/Agencies will be executed by cabinet-level representatives. The process by which US companies register for the Privacy Shield program is expected to be much the same as the Safe Harbor self-certification process. However, significantly greater scrutiny is to be expected on both sides of the Atlantic.
The timing for the public release of the final text of the Privacy Shield agreement remains unclear, and the devil may well be in the details from the perspectives of the various stakeholders, including EU Member States and DPAs. The EU Commission and the DOC are expected to provide periodic briefings as more details become available. The transition period and the process for launching the new Privacy Shield Framework are also reportedly still under discussion. The EU Press release indicates that it will take three months for the formal agreement to come into effect.
Other uncertainties remain. Although it is evident that the US and EU negotiators did their best to address the concerns identified by the EU Court of Justice in its Schrems judgment, the new arrangements are unlikely to satisfy privacy advocates who have called for significantly greater commitments from the US side.
Response of the DPAs
The German Federal Data Protection Commissioner has already warned that the agreement will need to be examined very carefully to determine whether it “can actually fulfil the necessary guarantees for legally compliant data transfers to the USA” and ensure that “the “EU-US data protection shield” really deserves its name and is not full of holes at the crucial points.” And the Chair of the EU Parliament Committee responsible for data protection matters issued a statement welcoming the EU Commission’s efforts but expressing deep concerns over “the value of the proposals in reality, from the ombudsman to future guarantees on judicial redress,” and promising hearings on the agreement.
The WP29 has called on the Commission to provide all the documents pertaining to the new Privacy Shield arrangement by the end of February. The WP29 will then hold a plenary meeting to complete its assessment in relation to all transfers to the US. It will also consider whether the EU Standard Contractual Clauses and Binding Corporate Rules may continue to be utilized for such transfers but has stated that, in the meantime, they can still be used.