July 20, 2016

The Commission says that the new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

The EU-US Privacy Shield is based on the following principles:

• Strong obligations on companies handling data: under the new arrangement, the US Department of Commerce will conduct regular updates and reviews of participating companies to ensure that companies follow the rules. If companies do not comply they face sanctions and removal from the list.  The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection as a transfer from a Privacy Shield company.
• Clear safeguards and transparency obligations on US government access: the US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will benefit from redress mechanisms in this area.  The US has ruled out indiscriminate mass surveillance on personal data transferred to it under the EU-US Privacy Shield arrangement.  The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible.  It details the safeguards in place for the use of data under such exceptional circumstances.  The US Secretary of State has established a redress mechanism in the area of national intelligence for Europeans through an Ombudsperson within the Department of State.
• Effective protection of individual rights: any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself, but if not, free of charge Alternative Dispute resolution (ADR) solutions will be offered.  Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved.  If a case is not resolved by any of the other means, as a last resort, there will be an arbitration  Redress in the area of national security for EU citizens will be handled by an Ombudsperson independent from the US intelligence services.
• Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the US Department of Commerce will conduct the review and associate national intelligence experts from the US and European Data Protection Authorities.  The Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.

Since presenting the draft Privacy Shield in February, the Commission has drawn on the opinions of the European data protection authorities (Article 29 Working Party) and the European Data Protection Supervisor, and the resolution of the European Parliament to include a number of additional clarifications and improvements.  The European Commission and the US notably agreed on additional clarifications on the bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies as regards limits on retention and onward transfers.

The “adequacy decision” was notified to the Member States on 12 July 2016 and thereby entered into force immediately.  On the US side, the Privacy Shield framework will be published in the Federal Register, the equivalent to the EU’s Official Journal.  The US Department of Commerce will start operating the Privacy Shield.  Once companies have had an opportunity to review the framework and update their compliance procedures, companies will be able to certify with the Commerce Department as of 1 August.  In parallel, the Commission will publish a short guide for citizens explaining the available remedies if individuals consider that their personal data has been used without taking into account the data protection rules.  To read the Commission’s press release in full, click here.