European Commission accepts EU-US Privacy Shield
The European Union has formally adopted the EU-US Privacy Shield agreement that will govern the exchange of EU citizen data between Europe and the United States of America.
The Privacy Shield had been delayed after concerns had been raised by European Data Protection Supervisor (EDPS) Giovanni Buttarelli. The Supervisor had specific concerns and called for improvements in areas of limiting exemptions, improving redress and oversight mechanisms, and integrating all the main EU data protection principles.
A further round of talks and assurances has now led to the commission releasing a decision implementation document.
The European Commission’s vice president for the Digital Single Market, Andrus Ansip said the agreement will provide protection of citizen data and clarity for business.
“Data flows between our two continents are essential to our society and economy — we now have a robust framework ensuring these transfers take place in the best and safest conditions,” said Ansip.
Another key figure in the development of the agreement, Věra Jourová, commissioner for justice, consumers and gender equality, said it was robust system for the protection of personal data, again emphasising the establishment of clarity for businesses.
The EU-US privacy Shield “brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints,” said Jourová
“The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our US counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data.”
Despite its troubled passage to adoption, the agreement was praised as robust by one legal expert.
“Despite vast criticisms and doubts that the EU-US Privacy Shield will survive,” said Sarah Thompson of international law firm McGuireWoods, “the new deal clearly does provide more robust obligations and commitments than its predecessor, the Safe Harbour framework. It has stood up to rigorous negotiations and knock backs and shows the successful coordination and progress made between the EU and US counterparts, which meets the short falls of the Safe Harbour framework.”
Thompson said the agreement includes enhanced privacy protections, especially stronger rules regarding onward transfers, data retention and redress. She pointed out that it also now includes a US ombudsman set to be independent of the intelligence agencies.
One key development, highlighted by Thompson, is that the agreement will be reviewed on an annual basis allowing it to evolve and adapt to future technology and legal developments.
“I am hopeful that this will not just be a tick-box exercise, but an in-depth review enabling amendments to be made to mitigate future CJEU scrutiny,” she said.
EU member states will now be notified of the adequacy decision, from which time the agreement will take full effect.
On the US side, the agreement framework will be published to the Federal Register which will allow the Department of Commerce to begin operation. While there will be an opportunity for US companies to review the agreement the Department is expected to certify it from 1 August.
The Commission has said it will publish a citizen’s guide that will explain “the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.”