The Privacy Shield will require greater protections for personal data and provide increased oversight
EU Justice Commissioner Vera Jourová and her colleague Andius Ansip gave a press conference this afternoon (local time) announcing that the long-running negotiations between the EU and US to find a replacement to the invalidated Safe Harbor programme have reached a successful conclusion. The US. Department of Commerce gave a subsequent briefing via telephone from Washington, DC and Brussels, during which it accepted questions from participants.
The new programme will be called the EU-US Privacy Shield and is expected to be in operation in three months’ time. Some of the key provisions of the new programme are:
- Greater transparency around the extent of and the limitations on US government surveillance.
- Commitments from the US not to carry out mass indiscriminate surveillance of EU citizens.
- The White House to provide written assurances regarding the safeguards which will be put in place.
- An annual joint review of the efficacy of the programme will be undertaken, which will include input from both US experts and EU regulators.
- The European Commission has committed to on-going monitoring of the programme to ensure it continues to meet the principles on which it has been established.
- The first annual review is expected in 2017.
- The EU Commission will provide clear guidance to citizens on how to seek legal redress under the programme.
- In the first instance, companies will be expected to resolve individual complaints, as occurred previously under the Safe Harbor.
- The next step will be escalation to national Data Protection Authorities, working with the US Department of Commerce and the Federal Trade Commission, through a new alternative dispute resolution procedure to ensure that complaints are dealt with within a set timeframe. We understand that details of the ADR procedure are still being worked out. If complaints are not resolved within a reasonable timeframe, they may be referred to a newly appointed Ombudsperson, within the US State Department, independent of the US intelligence agencies, who will address the complaint.
- EU citizens will have rights, for the first time, to access US courts in the context of data that is being used for law enforcement purposes.
- Companies participating in the programme will be subject to on-going review by the Department of Commerce and the FTC.
- It has been emphasised that this is a “living” programme – problems with the Privacy Shield should be fixed as and when they arise.
- If companies are found not to be compliant, they may face sanctions, or removal from the programme.
Data handling obligations
- Conditions around the onward transfers of personal data will be tightened up.
- There will be clearer safeguards and increased transparency around the level of access which US authorities will be permitted to have to data held by US companies.
Although we now have certainty that there will be a replacement to Safe Harbor, some steps remain before the Privacy Shield will come into operation:
- Commissioner Jourová will present the agreement to the Article 29 Working Party (the grouping of European national Data Protection Authorities) on Wednesday 3 February
- A draft “adequacy decision” will be adopted by the College of EU Commissioners in the coming weeks
- On the US side, the relevant authorities will need to prepare and then formalize the commitments which are to be given under the agreement
- There is a desire to implement the new Privacy Shield “as soon as possible” − the Commission has estimated three months and
- Commitments have been given that the Privacy Shield will be compliant with the General Data Protection Regulation, which should come into force in 2018. DLA Piper’s guide to the new Regulation can be accessed here. According to the US Department of Commerce, while the focus of the negotiations was on the replacement of Safe Harbor, the GDPR was considered during the process. The annual review process for Privacy Shield will also provide an avenue for making any necessary amendments to the programme.
US Department of Commerce briefing on Privacy Shield
During a telephone briefing today, the US Department of Commerce confirmed the agreement on Privacy Shield. The Department did not give any commitment on the timing for release of the full text of the new programme, nor did the Department take any position on whether companies whose Safe Harbor certifications are coming up for renewal should renew under the existing Safe Harbor programme. A Department of Commerce official indicated that the Department would conduct a number of upcoming briefings as more details emerge and the text of the Privacy Shield programme details are released.