EU – US Privacy Shield

Written on 22 Feb 2016

The European Commission and the US have agreed on a new framework for the transatlantic flows of data: the EU-US Privacy Shield. The announcement represents a much- awaited leap forward in the context of the construction of a general framework for the exchange of personal data between the United States and the Member States of the European Union. The agreement has shed light on the uncertainty generated by the Judgment delivered by the Court of Justice of the European Union on 6 October 2015 (Case Maximillian Schrems v Data Protection Commissioner, C-362/14) which invalidated the European Decision 2000/520 regulating the Safe Harbour principles.

The announcement made by the EU Commissioner of Justice, Consumers and Gender Equality on 2 February 2016 made public the agreement reached on the points of the new framework for the international transfer of personal data, which is expected to protect European citizens’ fundamental rights whilst endowing legal certainty to those companies affected by the decision adopted by the European Union Court of Justice.

However, additional preparatory works will be necessary before we have a definite framework. Within the coming weeks a draft of the decision is expected to be released which will outline the main features of the new regime.

Up until this time, data protection national authorities will keep on accepting the Model Clauses approved by the European Commission and the Binding Corporate Rules. Regarding those entities that were still relying upon the Safe Harbour principles, sanctioning procedures may be initiated against them by the data protection national authorities on grounds of international data transfers performance without observance of the minimum guarantees demanded by the legal requirements in force.

The major differences that will
be introduced by the Privacy Shield in comparison with the Safe Harbour principles
–in force until  6 October 2015- are the
following:

  • Strong control obligations are foreseen for the U.S. companies in relation with the European Union citizens’ personal data imported by them. These control obligations shall be complemented by intense surveillance tasks discharged by the U.S. Department of Commerce.
  • Access to European Union citizens’ personal data by the U.S. Government shall be clearly limited and subject to safeguard mechanisms and close oversight. The European Commission, alongside the U.S. Department of Commerce, shall jointly review the proper functioning and performance of the agreement on an annual basis.
  • European Union citizens will be granted an easily accessible and affordable mechanism such that they can settle the disputes relating to the protection of their personal data, which will be companies who will deal with citizens’ claims in the first place. Citizens will afterwards be able to claim before the Member States´ national authorities who shall work jointly with the U.S. Federal Trade Commission to provide them with a resolution to the dispute. Upon failure of those instances, an arbitration mechanism will exist as last resort.
  • Also, an independent data protection ombudsman will be in charge of safeguarding citizens’ rights.