Most companies who manage customer data over the two continents of Europe and America have been somewhat hampered by the legal limbo which has prevailed after the initial provisions surrounding Safe Harbour principles were laid to rest by the ECJ on the 6th of October 2015.
Yet in a much awaited move, the European Commission and the United States have agreed on a new framework for transatlantic data flows. Well timed with the latest Star Wars movie famously touting the Deflector Shield, the new framework shall be known as the EU-US Privacy Shield. This will protect the fundamental rights of Europeans when their data is transferred to the US.
Increased apprehension surrounding state surveillance in the US has been registered in the post-Snowden era and this has strained political relationships and legal certainty.
The new arrangement will include the following elements:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European Data Protection Authorities.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
We are now eagerly awaiting the next steps which shall relate to detailed policy formulations based on recommendations from the Article 29 Working Party. It is expected that the EU-US Privacy Shield will come into place during 2016.
Cover Photo by Flickr user ‘Elif Ayiter‘ used under Creative Commons Attribution 2.0 license. Image cropped.