The European Commission has issued the legal texts that will put in place the so-called EU-U.S. Privacy Shield. The Commission is also summarizing the actions taken over the last years to restore trust in transatlantic data flows since the 2013 surveillance revelations.
In October 2015 the European Court of Justice (ECJ) invalidated the “Safe Harbor” agreement which allowed for the transfer of personal data to the United States. Since then the negotiations between the European Commission and the U.S. Department of Commerce on a new “safer Safe Harbor” have been intense.
The deadline for reaching an agreement on 31 January 2016 was missed by the two parties. The Commission announced on 2 February a new deal marketed as the “EU-U.S. Privacy Shield”.
The Commission finalized this week (29.2) the reform of EU Data protection rules, which apply to all companies providing services on the EU market (see Q&A). According to the Commission, the reform is in line with President Juncker’s political guidelines in his opening statement in July 2014 in the European Parliament (“A new start for Europe”).
The Commission also made public a draft “adequacy decision” which establishes that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law and international commitments (see Q&A).
This includes the Privacy Shield Principles companies have to abide by, as well as written commitments by the U.S. Government (to be published in the U.S. Federal Register) on the enforcement of the arrangement, including assurance on the safeguards and limitations concerning access to data by public authorities.
Trust is a must
Vice-President Ansip said: “Now we start turning the EU-U.S. Privacy Shield into reality. Both sides of the Atlantic work to ensure that the personal data of citizens will be fully protected and that we are fit for the opportunities of the digital age. Trust is a must; it is what will drive our digital future.”
Commissioner Jourová said: “Protecting personal data is my priority both inside the EU and internationally. The EU-U.S. Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds.”
According to the European Commission, the U.S. authorities has provided strong commitments that the Privacy Shield will be strictly enforced and has assured that there is no indiscriminate or mass surveillance by national security authorities.
The Commission writes that for the first time, the U.S. government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalized access to personal data.
U.S. Secretary of State John Kerry committed to establishing a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State, who will be independent from national security services.
The Ombudsperson will follow-up complaints and enquiries by individuals and inform them whether the relevant laws have been complied with. These written commitments will be published in the U.S. federal register.
EU citizens’ with complaints have several redress possibilities: Complaints have to be resolved by companies within 45 days. A free of charge Alternative Dispute Resolution solution will be available. EU citizens can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved.
As a last resort, there will be an arbitration mechanism ensuring an enforceable remedy. Moreover, companies can commit to comply with advice from European Data Protection Agencies. This is obligatory for companies handling human resource data. An annual EU- US joint review mechanismwill also be establishedto monitor the functioning of the Privacy Shield.
In next step a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities will give their opinion, before a final decision by the College of Commissioners. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.
Following the adoption of the Judicial Redress Act by the U.S. Congress, signed into law by President Obama on 24 February, the Commission will shortly propose the signature of a data protection framework for EU-US law enforcement cooperation, the so-called Umbrella Agreement (see Q&A). The decision should be adopted by the Council after obtaining the consent of the European Parliament.
During the negotiations, the United States maintained that it already offers an adequate level of privacy protection. However, the ECJ ruling was clear in its dismissal of the privacy protection offered in the United States. A key issue was providing access to justice for Europeans in the United States. This issue seems to have been addressed in the new EU-U.S. Privacy Shield.
However, the issue of indiscriminate mass surveillance in the United States, as disclosed by former U.S. contractor Edward Snowden, may still raise concern. The American authorities claim that U.S. security personnel have no direct access to individual data but only to the results presented by algorithms that filter out irrelevant information.
Without a clear definition of mass surveillance, “the legal limbo is likely to remain until another court case on the new EU-U.S. Privacy Shield reaches the ECJ,” writes Swedish lawyer Christian Ernhede on statusquo.eu.
The Brussels Times