Two days after the expiration of the deadline to reach an agreement on data transfers between the EU and U.S., authorities on both sides of the Atlantic have announced a new framework to handle such transfers. The framework, known as the EU-U.S. Privacy Shield, is being touted by European privacy officials as a response to the concerns of many Europeans that their privacy was not adequately protected from commercial exploitation by U.S. companies or snooping by U.S. authorities in the name of national security.
Those latter concerns – championed by Austrian graduate student Max Schrems – resulted in the toppling of the prior U.S.-EU Safe Harbor in October. In a landmark ruling, the European Court of Justice overturned the European Commission’s 15-year old decision that the privacy principles of the Safe Harbor provided an adequate level of protection of the personal data of EU citizens. The ECJ’s ruling portended significant disruptions in existing global data flows for large and small companies alike and the possibility of staggering compliance costs as companies sought to operate under the disparate – and potentially conflicting – data privacy regimes of the 28 EU Member States. It also led to widespread speculation that a new framework would be put in place to address the both the concerns of the ECJ and the business community.
That speculation ended yesterday in the form of the EU-U.S. Privacy Shield. The new framework promises to:
- Impose strong obligations on companies that handle personal data from EU citizens;
- Demand robust enforcement by U.S. authorities against companies that fail to satisfy their obligations;
- Impose clear limitations, safeguards and oversight mechanisms to limit U.S. governmental access to data in the name of law enforcement and national security; and
- Grant redress avenues for EU citizens who believe that their personal data has been misused under the framework.
To effect these promises, the EU-U.S. Privacy Shield will require U.S. companies importing personal data from the EU to publish their privacy commitments. The U.S. Department of Commerce will monitor to ensure that privacy policies are published, and the Federal Trade Commission will prosecute violations by U.S. companies of their own policies. Additionally, U.S. companies that handle European human resources data must commit to abide by the decisions of European Data Protection Agencies (DPAs).
Aggrieved EU citizens will be able raise concerns to U.S. companies individually or through their own DPAs, which will then refer complaints to U.S. authorities. Free alternative dispute resolution will also be available. The U.S. will also create a new Ombudsperson to address concerns regarding national security-specific surveillance raised by EU citizens.
As part of the deal, the U.S. government has affirmed that it does not engage in indiscriminate mass surveillance activities and provided written assurances to the EU that governmental access to personal data in the name of national security will be subject to clear limitations, safeguards and oversight mechanisms. Little further detail was provided, but the U.S. has promised that access will be sought “only to the extent necessary and proportionate.”
The U.S. has also committed to submit to an annual joint review to monitor the functioning of the Privacy Shield. These reviews – conducted by the European Commission and the U.S. Department of Commerce – will specifically include the issue of national security access and will include national intelligence experts from the U.S. government and from European DPAs.
Despite the announcement by U.S. and EU authorities on the Privacy Shield, much work remains to be done. The EU College of Commissioners must draft an adequacy decision, which will then be submitted to the Article 29 Working Party for advice and comment. A committee of EU Member State representatives will also consult on the draft adequacy decision, after which time it will be adopted. During this period, U.S. authorities will prepare to implement its obligations related to the framework generally, monitoring mechanisms, and the Ombudsperson position.