After the European Court of Justice invalidated the Safe Harbor program in theSchrems case (on grounds that it failed to adequately protect EU citizens’ privacy rights), the European national data protection authorities (DPAs) announced that they would wait until the end of January before taking “necessary and appropriate actions,” possibly including “coordinated enforcement actions,” against illegal transfers of EU citizens’ data in the absence of a data transfer agreement between the United States and the European Union. On February 2, 2016, the US government and the EU Commission reached a deal dubbed “the EU-US Privacy Shield.” The newly mandated agreement aims to establish a framework to protect the fundamental rights of Europeans when their personal data is transferred to US companies and ensure legal certainty for businesses.
EU Commissioner Vĕra Jourová noted that the goal was to create a “strong and robust data protection regime” to allow transatlantic data transfers to continue, to build a framework that respects the Schrems ruling, and to rely on a “trust but verify approach.” When announcing the agreement between the European Union and the United States, Commissioner Jourová said, “For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.” US Secretary of Commerce Penny Pritzker said, “It provides certainty by ensuring that thousands of European and American businesses and millions of consumers can continue to access services online that improve their livelihoods and strengthen their businesses.”
The EU-US Privacy Shield will include the following elements:
- Strong obligations for companies that handle Europeans’ personal data and robust enforcement of rights: US companies that wish to import personal data from Europe will need to commit to robust obligations for how personal data is processed and individual rights are guaranteed. The US Department of Commerce will monitor whether companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any company that handles human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations for US government access: Access to public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms. Exceptions must be used only to the extent necessary and proportionate. The United States has ruled out indiscriminate mass surveillance on the personal data transferred to the United States under the new arrangement. To regularly monitor the functioning of the arrangement, there will be an annual joint review that includes the issue of national security access. The European Commission and the Department of Commerce will conduct the review and invite national intelligence experts from the United States and European DPAs to it. This requires independent oversight and transparency, particularly in the national security sector.
- Effective protection of EU citizens’ rights with rights of redress:Any citizen who considers his or her data misused under the new arrangement will have several options for redress. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission, and companies have deadlines to reply to complaints. Alternative dispute resolution will be free. For complaints on possible access by national intelligence authorities, a new ombudsperson will be created.
Despite the agreement between the European Union and the United States, the EU-US Privacy Shield will not apply to data transfers until it is adopted by the European Commission after input from the European DPAs (represented through the so-called Article 29 Working Party). Based on a recent press release, it remains unclear whether the Article 29 Working Party will agree to the deal.