EC launches EU-US Privacy Shield and promises “stronger protection” for transatlantic data flows

The European Commission (EC) has now formally adopted the EU-US Privacy Shield which invokes a new framework for any transatlantic exchanges of personal data for commercial purposes. The EC presented the draft decision texts on 29 February this year. Following on from views expressed by the Article 29 Working Party on 13 April and the European Parliament resolution of 26 May, the Commission finalised the adoption procedure on Tuesday 12 July.

In essence, this all-new framework protects the fundamental rights of anyone in the European Union (EU) whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

The EU-US Privacy Shield is based on the following principles:

Strong obligations on companies handling data

Under the new arrangement, the US Department of Commerce will conduct regular updates and reviews of participating companies to ensure that they follow the rules to which they’ve submitted themselves. If organisations don’t comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.

Clear safeguards and transparency obligations on US Government access

The US has given the EU assurances that the access to data by public authorities for law enforcement and national security purposes is subject to clear limitations, safeguards and oversight mechanisms. For the first time, everyone in the EU will benefit from redress mechanisms in this area, with the US Secretary of State established a redress possibility in the area of national intelligence for Europeans through an Ombudsman mechanism within the Department of State.

The US has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-US Privacy Shield arrangement. The Office of the Director of National Intelligence has further clarified that bulk collection of data can only be used under specific pre-conditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances.

Effective protection of individual rights

Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself or free of charge. Alternative dispute resolution solutions will be offered.

Individuals can also go to their national data protection authorities, who will work with the Federal Trade Commission to ensure that complaints put forward by EU citizens are both investigated and resolved. If a case isn’t resolved by any of the other means, as a last resort there will be an arbitration mechanism.

Annual joint review mechanism

The mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurances made as regards access to data for law enforcement and national security purposes. The EC and the US Department of Commerce will conduct any reviews alongside associate national intelligence experts from the US and the European data protection authorities. The Commission will draw on all other sources of information available and issue a public report to the European Parliament and the Council.

Since presenting the draft Privacy Shield back in February, the Commission has included a number of additional clarifications and improvements. Notably, the EC and the US agreed on additional clarifications around the bulk collection of data, strengthening the Ombudsman mechanism and more explicit obligations placed upon companies as regards limits on retention and onward transfers.

Comment from the EC

Andrus Ansip, vice-president for the Digital Single Market at the EC, said: “We have now approved the new EU-US Privacy Shield which will protect the personal data of our people and provide clarity for businesses. We’ve worked hard with all our partners in Europe and in the US to make sure this deal is right and to have it signed and sealed as soon as possible. Data flows between our two continents are essential to our society and economy, and we now have a robust framework in place ensuring these transfers occur in the best and safest conditions.”

Věra Jourová, the EC’s Commissioner for Justice, Consumers and Gender Equality, stated: “The EU-US Privacy Shield is a robust new system designed to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on Government access and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We’ve worked together with the European data protection authorities, the European Parliament, the Member States and our US counterparts to put in place an arrangement to protect Europeans’ personal data to the very highest standard.”

The US Department of Commerce will now start operating the Privacy Shield. Once organisations have had an opportunity to review the framework and update their compliance, they’ll then be able to certify with the Commerce Department as of Monday 1 August. In parallel, the EC will publish a short guide explaining the available remedies in case an individual considers that his/her personal data has been used without the user taking into account the new data protection rules.

Feedback from the business and security communities

Josh Hardie, the CBI’s deputy director general, commented: “The adoption of the EU-US Privacy Shield is good news for businesses of all sectors and sizes. Being able to swiftly and securely transfer data between Europe and the US is critical for everyday business activities like sending files or basic data storage, yet firms had been in limbo while this new framework was negotiated. They can now revert to business as usual with the ease and certainty that a new framework will provide, instead of relying on case by case model contract clauses. Ensuring UK companies can continue to seamlessly transfer data between our biggest trading partners will be an important priority for our future economic relationships post-Brexit.”

Richard Stiennon, Chief Strategy Officer for Blancco Technology Group and former vice-president of research at Gartner, has also reacted to the EU-US Privacy Shield announcement.

“An agreement on the EU-US Privacy Shield has been reached after the US DNI took the unprecedented step of providing written assurance that mass surveillance of EU citizens will not take place. This immediately begs the question: ‘Would the US, and the UK Government for that matter, be prepared to make those very same assurances to their own citizens? I find it disconcerting that the EU, by and large, is more concerned with privacy than both the US and the UK, and what this might mean for the global marketplace if we continue to allow different attitudes to translate into wildly different data privacy legislation across distinct geographies.”

Stiennon added: “If we continue along the path we’re treading then global organisations will continue to be subjected to the expense of tracking and complying with multiple sets of data security and privacy rules or we will experience a ‘race to the bottom’ that puts all of our personal data at risk.”

He concluded: “After years of working to have the GDPR defined, we’re finally ready to see it implemented. It’s all well and good devoting time and resource towards creating data sharing protocols such as the EU-US Privacy Shield, but wouldn’t it be better to make US and UK data protection laws meet the same standards so that we could all trade on a level playing field?”


About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts