The European Commission has today (12 July) formally adopted the EU-U.S. Privacy Shield governing data transfers, which it says has taken into account criticisms of the draft presented in February and strengthened a number of obligations.
The long anticipated new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as, in theory, bringing legal clarity for businesses relying on transatlantic data transfers.
Since presenting the draft Privacy Shield in February, the Commission has drawn on the opinions of the European data protection authorities (Art. 29 working party) and the European Data Protection Supervisor, as well as the resolution of the European Parliament, to include a number of additional ‘clarifications and improvements.’
The European Commission and the U.S. have notably agreed on additional clarifications regarding the bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies as regards limits on retention and onward transfers.
Under the new arrangements, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies.
If companies do not comply in practice, they face sanctions and removal from the list. Conditions have been tightened for the onward transfer of data to third parties.
Safeguards and transparency obligations on U.S. government access
The U.S has also given the EU assurance that public authority access to data for law enforcement and national security purposes is subject to clear limitations, safeguards and oversight mechanisms.
Everyone in the EU will, for the first time, benefit from redress mechanisms in this area. The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement.
Under the agreement, bulk collection of data can only be used under specific preconditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances.
Protection of individual rights
Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several dispute resolution mechanisms. If a complaint is not resolved by the company itself, free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved.
If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.
Annual joint review mechanism
An annual joint review mechanism, meanwhile, will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes.
Andrus Ansip, commission vice-president for the digital single market, said: “We have approved the new EU-U.S. Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.
The “adequacy decision” will be notified today to the Member States and enter into force immediately. On the U.S. side, the Privacy Shield framework will be published in the Federal Register and companies will be able to certify with the Commerce Department starting 1 August.
While it remains to be seen whether the changes have gone far enough to prevent a legal challenge from Article 29, Tanguy Van Overstraeten, partner and global head of privacy and data protection at Linklaters said of the decision: “Sign off on the Privacy Shield ends a period of serious uncertainty for businesses across the globe. It is a significant milestone after the Schrems case and the invalidation of the EU Commission Decision approving the Safe Harbour. Its implementation will provide a robust solution enabling businesses to carry on Trans-Atlantic data transfers as part of their activities on both sides of the ocean.
“The higher levels of protection elaborated under the new system are also there to help strengthen the confidence of citizens as regards the way their data is processed.”
However Max Schrems, who brought the original challenge against Safe Harbour, said of the new agreement: “It is little more than an little upgrade to Safe Harbour, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU. This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution.”
“Today, as the final step in a long process of approvals, the European Commission adopted the new EU-US Privacy Shield. We applaud this achievement, which demonstrates that the EU and the US share important values and are able to work together to protect the fundamental right to privacy.”