EU-US Privacy Shield to replace Safe Harbour
The European College of Commissioners has approved a political agreement reached between the EU and the US on data flows after the Safe Harbour Agreement was struck down by a European court.
The College of Commissioners has now mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.
The agreement is expected to be in place within three months, with the first of its yearly reviews expected next year, Commissioner Jourová
The College said the “new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.”
The agreement is expected to be in place within three months, said Commissioner Jourová, with the first of its yearly reviews expected next year.
A statement from the commission said that the EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.
The new arrangement will provide stronger obligations on companies in the US to protect the personal data of Europeans and stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.
General access commitments
It includes commitments by the US that possibilities under US law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.
“We have agreed on a new strong framework on data flows with the US. Our people can be sure that their personal data is fully protected,” said Vice-President Ansip. “Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic. We have a duty to check and we will closely monitor the new arrangement to make sure it keeps delivering. Today’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US. We will work now to put it in place as soon as possible.”
“The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies,” said Commissioner Jourová. “For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”
The statement said that under the new agreement, US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the US FTC. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
With regard to new safeguards, for the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European Data Protection Authorities to it.
The new agreement also contains several redress possibilities. Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
The College has mandated Vice-President Ansip and Commissioner Jourová to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the US side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.
At a press conference on the new agreement, Commissioner Jourová was asked about the agreement in light of upcoming General Data Protection Regulations coming into force in 2018. She said that the agreement had been made with respect to the draft regulations and so it was not expected that there would be any re-negotiation necessary when those regulations come into effect.
The agreement has already drawn scepticism from one of principle critics of the previous agreement, Max Schrems.
No legal basis
In a statement on the Privacy Shield, Schrems commented on the system of signed letters of commitment from US government representatives as part of the agreement.
“With all due respect, … a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance,” said Schrems.
“We don’t know the exact legal structure yet, but this could amount to obviously disregarding the Court’s judgement. The Court has clearly stated that the US has to ‘ensure’ proper protection by means of ‘domestic law or international commitments’. I doubt that a European can walk into a US court and claim his fundamental rights based on a letter by someone. The Commission could to be en route to issuing a round-trip to the European Court in Luxemburg and back.”
Schrems says in conclusion, ““It is clearly too early for a final assessment. It seems the EU has tried to get as much as possible. This is also the first time we see at least some movement by the US side, after all the letters and calls by European politicians were basically ignored. Going to courts over this matter and targeting the commercial sector seemed like a better strategy that most European politicians were so far using. Judging from the mere ‘headlines’ we know so far, I am, however, not sure if this system will stand the test before the Court of Justice. There will be clearly people that will challenge this — depending on the final text I may well be one of them.”