The EU Commission published on 29 February 2016 details of the EU-US Privacy Shield, the new framework for data exchange between the EU and the US. The EU-US Privacy Shield is intended to restore trust in transatlantic data flows since the Court of Justice of the European Union declared the previous Safe Harbour regime invalid on 6 October 2015.
The US government access to the data was a major factor contributing to the downfall of the Safe Harbour regime. The establishment of the new EU-US Privacy Shield was made possible by the written assurance given by the US government to the EU policymakers that the US government access to European data will be limited and subject to clear safeguards and oversight mechanisms, including a possibility for European individuals to file complaints through a specialized Ombudsperson mechanism.
Like its predecessor, the EU-US Privacy Shield will operate on an opt-in basis. The US companies participating in the new regime has to commit to comply with a set of privacy principles mirroring the obligations applicable to EU companies. To comply with the EU-US Privacy Shield US companies must, inter alia, adequately inform the data subjects of the processing of their personal data, set up necessary security measures to protect the data, provide effective remedies in case of non-compliance and ensure that the same level of protection is guaranteed if the personal data is transferred to a third party.
The US Federal Trade Commission will be authorized to enforce the commitments under US law, but the EU-US Privacy Shield will also empower EU citizens to look after their own rights. The citizens have an option to file a complaint directly with the respective company and the company is obliged to respond to a complaint within 45 days. Alternatively, EU citizens may go through their national Data Protection Authorities and have their complaints handled by the US Federal Trade Commission. The possibility for complaints is supported by an access to a free of charge alternative dispute resolution process or ultimately an arbitration mechanism providing for an enforceable remedy as a last resort.
The EU-US Privacy Shield will be subject to an annual joint review by the EU and the US authorities. Furthermore, the EU Commission reserves the right to suspend the EU-US Privacy Shield at any time if the EU Commission concludes that the required level of protection is no longer ensured in the US.
Before the EU-US Privacy Shield is adopted in its final form, the EU Commission will hear the EU Data Protection Authorities and the committee composed of the representatives of the Member States. At the same time the US authorities will start the steps to put in place the new structures required by the new framework.
There are strong indicators that the EU Commission will push through with the new framework and that the EU-US Privacy Shield will be adopted, but until then it would be prudent for transferors of data to the US to comply with other mechanisms set out in the European data protection legislation, such as model contractual clauses.
For details on the Commission’s announcement on the EU-US Privacy Shield, please click here.