The European Commission has announced that a political agreement has been reached on a new framework on transatlantic data flows. The announcement was made in a press conference on February 2nd by Vice President Ansip and Commissioner Jourová , in which the Commissioner expressed the hope that the new framework, dubbed the “EU-US Privacy Shield,” will be in force within three months. The Commissioner identified three key elements of this new framework: (i) strong obligations on companies handling the personal data of Europeans and robust enforcement; (ii) clear safeguards and transparency obligations on US government access; and (iii) effective protection of the rights of EU citizens, with several redress possibilities.
Following the invalidation of the Safe Harbor framework by the Court of Justice of the European Union (CJEU) on October 6th, 2015, the Article 29 Working Party set a deadline of January 31st, 2016 by which the European Commission and the US authorities should find “political, legal and technical solutions enabling data transfers to the [US] that respect fundamental rights.” The Article 29 Working Party acknowledged in its guidance issued on October 16th, 2015 that this could in part be achieved through the implementation of what is now called the EU-US Privacy Shield.
The EU-US Privacy Shield will take the form of an exchange of letters signed at what is described as the highest political levels, but it will not involve a treaty that would have constrained further CJEU review. According to the Commission, these legally binding commitments will ensure that the safeguards are essentially equivalent to those that exist in the EU. Following a summary of the status of the negotiations given by Commissioner Jourová on February 1st, 2016, the members of the LIBE Committee questioned the legal effectiveness of an exchange of letters.
During the press conference Commissioner Jourová stressed that the new framework for transatlantic data flows will be able to withstand the inevitable next legal challenge as the CJEU ruling was “used as a benchmark to formulate” the new framework. The Commissioner further confirmed that the new arrangement will include the following elements:
- US companies participating in the EU-US Privacy Shield will have to commit to “robust obligations on how personal data is processed and individual rights are guaranteed.” Activities will be monitored by the Department of Commerce and subject to enhanced enforcement by the Federal Trade Commission (“FTC”), and companies processing European HR data will need to commit to comply with decisions by European Data Protection Authorities.
- Written assurances will be given from the US that for data transferred under the Privacy Shield: (i) access to personal data by public authorities will be subject to clear limitations (i.e., what is strictly necessary and proportionate), safeguards, and oversight mechanisms; (ii) there will be no indiscriminate mass surveillance, except perhaps where tailored and targeted access is not operationally feasible or in the event of emergencies; (iii) safeguards will apply equally to non-US citizens; and (iv) an Annual Joint Review Committee will be established to look at all aspects of the framework including access by public authorities. The review will be conducted by the European Commission and the US Department of Commerce, assisted by US security and intelligence agencies and European Data Protection Authorities.
- In terms of individual redress with respect to surveillance, there will be an independent ombudsperson, with a “real capacity to act” on individual complaints regarding possible access by national intelligence authorities.
- Unresolved complaints will be referred to a “last resort mechanism” – a binding arbitration panel – to the extent the complaint cannot in the first instance be resolved by the company, the alternative dispute resolution procedure or the FTC or the Department of Commerce. Note that the use of this arbitration mechanism would give rise to an opportunity for judicial review under the Federal Arbitration Act.
- A suspension clause is included, and Commissioner Jourová said this will be exercised in the event the commitments are not fulfilled by the US.
The press conference was held after the College of Commissioners mandated the Commissioner and the Vice President to prepare a draft “adequacy decision” in the coming weeks – the start of the comitology process. Following advice from the Article 29 Working Party and consultation with a committee of representatives from the EU Member States, the College may then adopt the decision.
It is also important to note that the passing of the deadline imposed by the Article 29 Working Party marks the end of the “grace period” for companies needing to implement alternative data transfer mechanisms. Based on the Working Party’s guidance issued on October 16th, 2015, data protection authorities are now “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Significantly, the Article 29 Working Party is expected to issue further guidance in the coming days on the impact of the CJEU judgment on the other data transfer tools such as, Standard Contractual Clauses and Binding Corporate Rules. Their meetings on February 2nd and 3rd are expected to resolve whether they endorse enforcement or they entertain some further “grace period” to allow for the comitology process that will be required before the EU-US Privacy Shield can be finalised.