After months of intense negotiations, the European Commission and the US Government announced today an agreement on the EU-US Privacy Shield (see http://europa.eu/rapid/press-release_IP-16-216_en.htm). This new arrangement replaces the US-EU Safe Harbor Privacy Arrangement ("Safe Harbor"), which was struck down by the Court of Justice of the European Union on October 6, 2015. The EU-US Privacy Shield builds upon the original Safe Harbor, and establishes a range of additional protections for European personal data, particularly on the issues of public authority access to data. The new arrangement is a critical achievement to help assure continuity of transatlantic data flows, which are vital to the digital economies in both Europe and the United States. The negotiators on both sides of the Atlantic should be praised for this achievement as it is a "win-win" for data protection and the transatlantic digital economy.
What are the requirements of the new EU-US Privacy Shield?
Although the details of the arrangement still require further study, key features appear to include:
- Clear safeguards and transparency obligations on US government access. US authorities have, for the first time, given written assurances to their European counterparts that law enforcement and national security access to personal data will be subject to clear limitations, safeguards, and oversight mechanisms to assure proportionality and necessity. There will be an annual joint review of the arrangement, including the national security access issue.
- Strong obligations on companies handling Europeans' personal data and robust enforcement. Under the Privacy Shield, US recipients of personal data from the EU will be required to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The US Department of Commerce will monitor that companies publish their commitments to the Privacy Shield, and will otherwise assure application of enforcement authority by the US Federal Trade Commission under US law.
- Effective protection of EU citizens' rights with several redress possibilities. Any EU citizen who considers that their personal data has been misused under the new arrangement will have several redress possibilities. European Data Protection Authorities can refer complaints to the US Department of Commerce and the Federal Trade Commission. There will be deadlines for responding to complaints, and alternative dispute resolution will be free of charge. In addition, a new Ombudsperson will be created within the US Department of State to handle complaints about national intelligence authority access to European personal data.
What are the next steps?
The European Commission will prepare a draft adequacy decision for the arrangement, which could then be adopted following consultation with the Article 31 committee of Member State representatives, and after obtaining the advice of the Article 29 Working Party of data protection authorities. On the US side, the US authorities will in the meantime proceed to take the necessary steps to formalize their commitments in writing. The European Commission has expressed its hope that these procedures can be completed within three (3) months, and it is expected that US companies participating in Safe Harbor will have some time to decide whether to join the new arrangement. In the meantime, companies should continue to pursue appropriate data transfer and data processing agreements and monitor updates from data protection authorities regarding transition periods and enforcement of existing laws.