The European Commission has announced that it has reached an agreement with the United States government for a new framework for transatlantic flows of personal data.  This framework is to replace the Safe Harbor scheme which the Court of Justice of the European Union declared invalid in October last year.

What will the "Privacy Shield" look like?

The European Commission's press release states that the EU-US Privacy Shield "reflects the requirements set by the European Court of Justice".  

However, at this stage only political agreement has been reached and Vice President Ansip and Commissioner Jourová have been mandated to take the necessary steps to put the arrangement in place.  In particular, they will need to turn to the Article 29 Working Party to obtain their advice before publishing a formal "adequacy" decision.  Both sides will then need to put the detailed framework in place.

The European Commission have, however, thrown some light on some of the features of the arrangement as follows:

  • Strong obligations on US companies and robust enforcement: US companies wishing to import personal data from Europe will commit to robust obligations on processing and will guarantee individual's rights. The US Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European data protection authorities. 
  • Safeguards and transparency obligations on U.S. government access: The US has given written assurances that the access for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European data protection authorities to it.
  • Effective protection of EU citizens' rights with several redress possibilities: A complaints framework will be set up to give data subjects the ability to complain in the US. Companies have deadlines to reply to complaints. European data protection authorities can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
  •  

What will this mean for businesses looking to transfer data to the US?

We anticipate that the framework will be established within the next three or four months. So, in the short-term, businesses should continue to the Commission's model clauses or binding corporate rules for intra-group transfers to legitimise transatlantic transfer of data. 

Undoubtedly questions will be raised about the strength of the features of the arrangement.  For example, the legal strength of the written assurances regarding the surveillance activities of US enforcement and security agencies is unclear.   Also, the rights of redress for consumers appear to be a complaints mechanism together with alternative dispute resolution; falling short of any right of action before any court or tribunal.  There may, therefore, be a few bumps in the road for the Privacy Shield before it is established and, even then, there is always the possibility that the European Court of Justice will again here a case which brings into question the adequacy of the arrangement.

We will, therefore, keep a keen eye on the area of transatlantic transfers of personal data, and we recommend that businesses do the same.