Organisations on both sides of the Atlantic welcomed the news yesterday (2 February) that the European Commission and United States have at last agreed a new framework for transatlantic data flows but warn that further clarity and a rebuilding of trust is now key.
The EU-US Privacy Shield, which replaces the old Safe Harbour framework, will govern the transfer of personal data for commercial purposes from companies in the EU to companies in the U.S. It puts in place stronger obligations on companies in the U.S. to protect that information and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European data protection authorities.
Talks have been underway since 6 October 2015, when the European Court of Justice ruled in the Schrems case that the Safe Harbour arrangement did not provide the level of data protection required by EU law.
The EU-US Privacy Shield sees the US give the EU for the first time written assurances that accessing data for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Europeans will be able to refer any enquiry or complaint in this context to a dedicated new Ombudsperson.
Under the new agreement, U.S. companies wishing to import personal data from Europe will now need to commit to robust obligations on how personal data is processed and individual rights protected. The Department of Commerce will ensure that companies publish their commitments, which makes them enforceable under U.S. law by the FTC. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European data protection authorities, which can now refer complaints to the Department of Commerce and the FTC.
The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European data protection authorities to attend.
Welcoming the decision, Daniel Castro, vice president of Washington-based not-for-profit IT think tank The Information Technology and Innovation Foundation, said: “We commend U.S. and European negotiators for completing an agreement that avoids disrupting the transatlantic digital economy in the near term by ensuring continuity for the thousands of U.S. and European companies providing services across the two markets. Free flow of data across borders is essential to global trade and commerce, and this renewed agreement marks an important step forward for U.S.-EU cooperation.
“Going forward, the United States and EU should make a number of much-needed privacy reforms to continue rebuilding trust and cooperation and ensure the world’s most critical economic relationship continues to endure in the digital age. In the United States, this includes further surveillance reform and passing the Judicial Redress Act. In Europe, this means rejecting protectionist measures, such as a European Cloud, and fully embracing the spirit of a digital single market, not just in Europe, but globally.”
At the CBI, acting competitive markets director Tom Thackray said: “Transferring data easily and securely between Europe and the USA is critical for businesses in our modern digital economy, so firms will be relieved that a new framework has at last been agreed to replace Safe Harbour.
“Businesses now need clarity fast on what they need to do to comply with the new framework so it can be implemented quickly and effectively. Getting this right will be important to the future of Europe’s digital agenda, as well as doing business with our largest trading partner, the United States,” he added.
However at Fieldfisher, data protection partner Phil Lee was far less optimistic about the news. “Today’s announcement will be undoubtedly welcomed by many,” he said. But keeping in mind that this new Safe Harbour will almost certainly be challenged by civil liberties groups (and possibly even some data protection authorities) pretty much immediately, only the foolhardy would want to place their trust in a new Safe Harbour right now. Whether legal or not, its reputation is already shot to pieces.”