In the aftermath of the CJEU judgment in Maximillian Schrems vs Data Protection Commissioner case (Case C-362/14), and following the invalidation of the Safe Harbor in October 2015, the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic data transfers on Tuesday, 2 February 2016: the EU-U.S. Privacy Shield (IP/16/216).
The adoption procedure of the decision texts was finalized by the European Commission on 12 July 2016, after the relevant opinion of the article 29 working party (national data protection authorities) and the European Parliament resolution of 26 May.
This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States and offers legal clarity for businesses relying on transatlantic data transfers. The Shield has been drafted, among others, to further illuminate the bulk collection of data, strengthen the Ombudsperson mechanism, and set more explicit obligations on companies as regards limits on retention and onward transfers.
The EU-U.S. Privacy Shield summarily touches upon the following points:
- Strong obligations on companies handling data: under the new arrangement, U.S. companies wishing to abide by the EU-U.S Privacy Shield will be obliged to register in the Privacy Shield register and re-certify annually. Moreover, their privacy policies will have to be updated, so as to appropriately inform data subjects on their current access rights and the available recourse mechanisms. Especially for onward transfers to third party service providers, companies will remain fully liable and will ensure that third parties’ processing data enjoy the same level of protection in case of a transfer from a Privacy Shield company.
- Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Notably, the U.S. Government has ruled out indiscriminate mass surveillance on personal data transferred to the US. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State. It is notable that on 24 February 2016, the Judicial Redress Act was signed. The Act permits EU data subjects to seek remedies for violation of their personal data against U.S agencies in U.S courts.
- Effective redress mechanisms: Any citizen who considers that their data has been misused shall benefit from several dispute resolution mechanisms. Ideally, the complaint shall be resolved by the company itself, or by an Alternative Dispute resolution (ADR) process, the costs thereof shall not be incurred by the concerned individual. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.
For further information, you can have a look at the EU-U.S. Privacy Shield fact-sheet, published by the European Commission in July 2016 [link], as well as the European Commission’s practical guide to the EU-U.S. Privacy Shield [link].