Yesterday the European Commission published the draft legal texts for the new data transfer agreement – the “EU-U.S. Privacy Shield” – that was reached at the beginning of February. The EU Commission also released a draft “adequacy decision” on the agreement, establishing that the safeguards provided when personal data is transferred under the Privacy Shield are equivalent to the EU data protection standards.
U.S. companies who decide to sign up to the Privacy Shield will need to annually self-certify their compliance with the Privacy Shield principles. The Department of Commerce (DOC) will monitor and verify that each company meets these principles and will maintain a list of those businesses that have signed up. Organisations failing to comply with the principles will be removed from the list and must return or delete the personal data received under the Privacy Shield.
The majority of the Privacy Shield principles reflect those contained in the Safe Harbor agreement, e.g., obligations with regard to data access, onward transfers, security and enforcement. However, there are some notable changes reflecting the requirements set by the Court of Justice of the European Union in its judgment of 6 October 2015 invalidating Safe Harbor.
According to the European Commission, the new arrangement will afford tougher obligations on U.S. companies to protect EU citizens’ personal data and stronger monitoring and enforcement requirements on the DOC and Federal Trade Commission (FTC). It also includes commitments by U.S. authorities that access to EU citizens’ personal data by national security authorities will be subject to clear conditions, limitations and oversight, preventing indiscriminate and mass surveillance.
The European Commission stresses that the new arrangement will include the following:
-
Strong obligations and robust enforcement – U.S. companies will need to commit to strong obligations on how personal data is processed and guarantee individual rights. The DOC will regularly monitor and verify that companies are complying with their commitments, which are legally binding and enforceable under U.S. law.
-
Governmental access – As noted above, the U.S. has for the first time given written assurances that access by public authorities for law enforcement or national security will be subject to limitations, safeguards and oversight mechanisms. In addition, complaints on possible access by national intelligence authorities can be made to a new ombudsperson, who will be independent from the national security services.
-
EU citizen protection and redress – Any EU citizens who consider that their personal data has been misused will have a number of redress possibilities. Companies will have to respond to complaints within 45 days. EU data protection authorities (DPAs) can refer complaints to the DOC and the FTC. In addition, an alternative dispute resolution mechanism will be available and free of charge.
-
Annual joint review – The European Commission’s adequacy decision will be subject to an annual joint review, unlike its predecessor, which will result in a public report to both the European Parliament and Council.
Next steps
A committee comprising the EU DPAs will now examine the texts and the European Commission’s draft adequacy decision. The Article 29 Working Party will also give its opinion before a final decision by the College (of EU Commissioners). The EU DPAs are expected to give their view by the end of March. In addition, the U.S. will start preparations to put in place the new agreement, monitoring mechanisms and the ombudsperson.
