On October 6 last year, the 15-year-old Safe Harbour agreement (used by many companies to lawfully transfer personal data from the EU to the United States) was declared invalid by the European Court of Justice (ECJ) when the court found that US national security requirements undermined privacy safeguards – meaning that the personal data of European citizens were not adequately protected in the US.
Following the Safe Harbour-ruling, EU data protection authorities (DPAs) gave companies a three-month grace period in which they could set up alternative legal systems to transfer data across the Atlantic, such as binding corporate rules, model clauses or consent from registered persons. The DPAs also urged Brussels and Washington to agree on a new data transfer agreement in the same period. Consequently, since October last year the US and EU have been racing to replace the original Safe Harbour agreement and yesterday evening the regulators announced that a new framework for transatlantic data flows has been agreed.
The new Privacy Shield
The new framework will protect the fundamental rights of Europeans where their data is transferred to the US and ensure legal certainty for companies. The new arrangement will in short be based on the following essentials:
Strong obligations and robust enforcement: US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies announce their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, US companies handling personal data transferred from Europe will need to cooperate with European DPAs.
Clear safeguards and transparency obligations on US government access: The US has given the EU written assurances that the access of public authorities for law enforcement and national security reasons will be subject to clear limitations, safeguards and oversight mechanisms. These access rights shall be used only when necessary and proportionate. Under the new framework, the US has ruled out generalised mass surveillance of personal data transferred to the US. To regularly monitor the functioning of the arrangement there will be an annual joint review, performed by the European Commission and the US Department of Commerce.
Effective protection of EU citizens’ rights: Any citizen who considers that their data has been misused under the new arrangement will have numerous redress possibilities. Companies have deadlines to reply to complaints and European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. Furthermore, alternative dispute resolution will be free of charge and a new Ombudsperson will be created.
What happens now? During the upcoming weeks a draft “adequacy decision” will be prepared, which could then be adopted after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the US will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsman.
To read the European Commission’s press release regarding the new framework, please click here.