On February 2, 2016, the European Commission announced a last-minute “political agreement” with the United States concerning a new privacy framework for transatlantic data transfers. The accord, called the “EU-U.S. Privacy Shield”, still requires further negotiation of the specific terms of the deal, but the announcement presumably buys time for those talks to continue. If it comes to fruition, it will facilitate the flow of data concerning Europeans to U.S. companies, like the now-invalidated Safe Harbor framework did from 2000 until last October.
The EU Commission notes that the Privacy Shield “reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbor framework invalid.” (We previously discussed that ruling here).
According to the EU Commission, the new framework will “protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies”, through the following elements:
- “Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the U.S. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- “Clear safeguards and transparency obligations on U.S. government access: For the first time, the U.S. has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- “Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
A political exigency?
The announcement of this accord appears to be a pre-emptive political exigency, as it was made the same day that the group of 28 national data protection authorities, known as the Article 29 Working Party, was set to meet to discuss possible consequences for companies that were still operating under the invalidated Safe Harbor agreement. Shortly after the ECJ ruling on Safe Harbor in October, the Article 29 Working Party had set a January 31 deadline for a new data transfer/privacy protection agreement to be reached between the EU and the US. The Article 29 Working Group may announce tomorrow its own plans for regulating data transfers from the EU to the U.S. It is unclear whether those plans will be consistent with the framework outlined today by the EU Commission.
Let’s be clear: the process for reaching a final agreement on the Privacy Shield is far from complete. And even if the EU and U.S. finally iron out the specific terms of the agreement, ultimate success is not guaranteed. Within the 28-nation EU, national data protection authorities (privacy regulators) could reject it, which would send the whole thing back to square one (yet again).
In addition to the political and legislative angles, further EU legal challenges are certainly expected to be mounted to any final binding terms of the EU-U.S. Privacy Shield, largely due to the continued distrust of U.S. government access to the data.
Notably, the EU Commission has no authority over the national security intelligence/ surveillance practices of its member states. Consequently, and more than a little ironically, while it has focused so intently on the surveillance activities of the U.S. government vis-à-vis European citizens, it apparently has no ability to address those same privacy concerns related to the surveillance activities of its 28 member states.
This chapter is far from complete. Stay tuned for further updates.