The European Commission adopted on July 12, 2016 its long-awaited decision recognizing the U.S. Privacy Shield as providing adequate protection for personal data of EU citizens transferred to the United States. The Privacy Shield is a set of rules and commitments issued by the U.S. Department of Commerce (DOC) and State Department primarily. This new framework will become operational on August 1, 2016.
It replaces the Safe Harbor, an earlier scheme that the European Commission had considered to provide adequate protection to personal data transferred to the United States and that many operators relied on to transfer data across the Atlantic. The Commission decision recognizing Safe Harbor as providing adequate protection was declared invalid on October 6, 2015 by the Court of Justice of the European Union (the Highest Court of the EU) in the Schrems case.
The Court of Justice annulled the Safe Harbor decision on the ground that Safe Harbor did not provide “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.” More specifically, the Court of Justice took issue with the fact that companies subscribing to the Safe Harbor and receiving personal data from the EU were bound to disregard the Safe Harbor principles anytime they would conflict with U.S. national security, public interest, or law enforcement requirements, without any limitation. It also criticized the fact that there was no rule or procedure to limit interferences with fundamental rights and freedoms of EU data subjects to what is strictly necessary to national security, public interest, or law enforcement; and no procedures to enable data subjects to exercise their right to know what data relating to them is being processed, and to have that data corrected or erased.
The Privacy Shield was negotiated between the European Commission and the U.S. authorities in order to reintroduce a scheme facilitating the transfer of personal data from the EU to U.S., which businesses need, while at the same time addressing the concern of the Court of Justice, which was necessary in order for the new scheme to withstand legal challenge. Before being formally adopted by the Commission, the new scheme was submitted to the data protection authorities of EU’s member states, which approved it on July 8th.
The Privacy Shield introduces significant changes to the defunct Safe Harbor. It imposes new obligations on the companies in the US receiving and processing personal data, in particular by restricting the onward transfer of personal data to third parties and by explicitly requiring companies to delete data once the purpose for which it was obtained expires.
Effective enforcement of EU data protection principles is ensured through regular reviews by the DOC of how companies subscribing to the Privacy Shield really comply with the rules and by more effective supervision mechanisms. Data subjects will also have the opportunity to file complaints with their home data protection authority in the EU, which will then forward them to the DOC or the International Trade Commission in the US for proper resolution. If this fails, disputes will be resolved through a binding arbitration mechanism (the Privacy Shield Panel).
The Privacy Shield also sets out limits on the bulk processing of personal data by the US authorities for intelligence and law enforcement purposes. Complaints of EU data subjects will be handled by an Ombudsman in the State Department, independent from the US intelligence services.
For more information about the Privacy Shield, see the Commission’s press release here, or feel free to contact our data protection team.
See also our earlier blog posts on Safe Harbour and the Privacy Shield: