The European Commission (EC) has now formally adopted the EU-US Privacy Shield which invokes a new framework for any transatlantic exchanges of personal data for commercial purposes. The EC presented the draft decision texts on 29 February this year. Following on from views expressed by the Article 29 Working Party on 13 April and the European Parliament resolution of 26 May, the Commission finalised the adoption procedure on Tuesday 12 July.
In essence, this all-new framework protects the fundamental rights of anyone in the European Union (EU) whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.
The EU-US Privacy Shield is based on the following principles:
Strong obligations on companies handling data
Under the new arrangement, the US Department of Commerce will conduct regular updates and reviews of participating companies to ensure that they follow the rules to which they’ve submitted themselves. If organisations don’t comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
Clear safeguards and transparency obligations on US Government access
The US has given the EU assurances that the access to data by public authorities for law enforcement and national security purposes is subject to clear limitations, safeguards and oversight mechanisms. For the first time, everyone in the EU will benefit from redress mechanisms in this area, with the US Secretary of State established a redress possibility in the area of national intelligence for Europeans through an Ombudsman mechanism within the Department of State.
The US has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-US Privacy Shield arrangement. The Office of the Director of National Intelligence has further clarified that bulk collection of data can only be used under specific pre-conditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances.
Effective protection of individual rights
Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself or free of charge. Alternative dispute resolution solutions will be offered.
Individuals can also go to their national data protection authorities, who will work with the Federal Trade Commission to ensure that complaints put forward by EU citizens are both investigated and resolved. If a case isn’t resolved by any of the other means, as a last resort there will be an arbitration mechanism.
Annual joint review mechanism
The mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurances made as regards access to data for law enforcement and national security purposes. The EC and the US Department of Commerce will conduct any reviews alongside associate national intelligence experts from the US and the European data protection authorities. The Commission will draw on all other sources of information available and issue a public report to the European Parliament and the Council.
Since presenting the draft Privacy Shield back in February, the Commission has included a number of additional clarifications and improvements. Notably, the EC and the US agreed on additional clarifications around the bulk collection of data, strengthening the Ombudsman mechanism and more explicit obligations placed upon companies as regards limits on retention and onward transfers.
Comment from the EC
Andrus Ansip, vice-president for the Digital Single Market at the EC, said: “We have now approved the new EU-US Privacy Shield which will protect the personal data of our people and provide clarity for businesses. We’ve worked hard with all our partners in Europe and in the US to make sure this deal is right and to have it signed and sealed as soon as possible. Data flows between our two continents are essential to our society and economy, and we now have a robust framework in place ensuring these transfers occur in the best and safest conditions.”
Věra Jourová, the EC’s Commissioner for Justice, Consumers and Gender Equality, stated: “The EU-US Privacy Shield is a robust new system designed to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on Government access and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We’ve worked together with the European data protection authorities, the European Parliament, the Member States and our US counterparts to put in place an arrangement to protect Europeans’ personal data to the very highest standard.”
The US Department of Commerce will now start operating the Privacy Shield. Once organisations have had an opportunity to review the framework and update their compliance, they’ll then be able to certify with the Commerce Department as of Monday 1 August. In parallel, the EC will publish a short guide explaining the available remedies in case an individual considers that his/her personal data has been used without the user taking into account the new data protection rules.
Feedback from the business and security communities
Josh Hardie, the CBI’s deputy director general, commented: “The adoption of the EU-US Privacy Shield is good news for businesses of all sectors and sizes. Being able to swiftly and securely transfer data between Europe and the US is critical for everyday business activities like sending files or basic data storage, yet firms had been in limbo while this new framework was negotiated. They can now revert to business as usual with the ease and certainty that a new framework will provide, instead of relying on case by case model contract clauses. Ensuring UK companies can continue to seamlessly transfer data between our biggest trading partners will be an important priority for our future economic relationships post-Brexit.”
Richard Stiennon, Chief Strategy Officer for Blancco Technology Group and former vice-president of research at Gartner, has also reacted to the EU-US Privacy Shield announcement.
“An agreement on the EU-US Privacy Shield has been reached after the US DNI took the unprecedented step of providing written assurance that mass surveillance of EU citizens will not take place. This immediately begs the question: ‘Would the US, and the UK Government for that matter, be prepared to make those very same assurances to their own citizens? I find it disconcerting that the EU, by and large, is more concerned with privacy than both the US and the UK, and what this might mean for the global marketplace if we continue to allow different attitudes to translate into wildly different data privacy legislation across distinct geographies.”
Stiennon added: “If we continue along the path we’re treading then global organisations will continue to be subjected to the expense of tracking and complying with multiple sets of data security and privacy rules or we will experience a ‘race to the bottom’ that puts all of our personal data at risk.”
He concluded: “After years of working to have the GDPR defined, we’re finally ready to see it implemented. It’s all well and good devoting time and resource towards creating data sharing protocols such as the EU-US Privacy Shield, but wouldn’t it be better to make US and UK data protection laws meet the same standards so that we could all trade on a level playing field?”