March 8, 2016

The Commission has published the legal texts putting in place the EU-US Privacy Shield, together with a Communication summarising the actions taken over the last few years to restore trust in transatlantic data flows since the 2013 surveillance revelations.

According to the Communication, the Commission has: (i) finalised reform of the EU Data protection rules, which apply to all companies providing services on the EU market; (ii) negotiated the EU-US Umbrella Agreement, ensuring high data protection standards for data transfers across the Atlantic for law enforcement purposes; and (iii) achieved what it calls, “a renewed sound framework for commercial data exchange: the EU-US Privacy Shield”.

As well as publishing the Privacy Shield legal texts, the Commission has also published a draft “adequacy decision”.  This includes the Privacy Shield Principles companies have to abide by, as well as written commitments by the US Government on the enforcement of the arrangement, including assurances on the safeguards and limitations concerning access to data by public authorities.

Once adopted, the “adequacy decision” will ensure that safeguards for when data are transferred under the new EU-US Privacy Shield are equivalent to data protection standards in the EU.  The US authorities have given strong commitments that the Privacy Shield will be strictly enforced and assurance that there is no indiscriminate or mass surveillance by national security authorities.

The Commission says that this will be guaranteed through:

• strong obligations on companies and robust enforcement: the new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. The new rules also include tightened conditions for onward transfers to other partners by the companies participating in the scheme;
• clear safeguards and transparency obligations on US government access: for the first time, the US government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data. US Secretary of State John Kerry committed to establishing a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State, which will be independent from national security services.  The Ombudsperson will follow-up complaints and enquiries by individuals and inform them whether the relevant laws have been complied with;
• effective protection of EU citizens’ rights with several redress possibilities: complaints will have to be resolved by companies within 45 days. A free of charge Alternative Dispute Resolution solution will be available.  EU citizens can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved.  If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism ensuring an enforceable remedy.  Moreover, companies can commit to comply with the advice from European DPAs.  This is obligatory for companies handling human resource data.
• annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The Commission and the US Department of Commerce will conduct the review and involve national intelligence experts from the US and European Data Protection Authorities. The Commission will draw on all other sources of information available, including transparency reports by companies on the extent of government access requests.  The Commission will also hold an annual privacy summit with interested NGOs and stakeholders to discuss broader developments in the area of US privacy law and their impact on Europeans.  On the basis of the annual review, the Commission will issue a public report to the European Parliament and the Council.

To read the European Commission’s press release, click here.