Agreement on new arrangement for transatlantic data flows: the new EU-US Privacy Shield
3. Februar 2016 – On 2 February 2016, the European Commission and the United States (US) agreed on a new arrangement for transatlantic data flows: the EU-US Privacy Shield. The European Commission mandated Vice-President Andrus Ansip and Commissioner Věra Jourová to prepare the necessary steps to put in place the new arrangement.
The new EU-US Privacy Shield became necessary because of the requirements set out by the Court of Justice of the European Union (CJEU) in its ruling on 6 October 2015, which declared the old US-EU Safe Harbor Framework invalid (see our news 7.10.2015). The new arrangement will provide for stronger obligations on companies in the US importing/accessing personal data from the EU/EEA in order for them to guarantee data protection and privacy rights. The U.S. Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the U.S. Federal Trade Commission (FTC). In addition, companies processing personal data from Europe have to comply with decisions issued by European DPAs.
The new arrangement will also include safeguards and transparency obligations on US government access. The access of public authorities for law enforcement and national security purposes will be subject to conditions, limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and be proportionate. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. The US and the European Commission will ensure regular monitoring of the functioning of the arrangement by an annual joint review.
Furthermore, EU/EEA citizens’ rights shall be effectively protected by redress possibilities. EU/EEA citizens will be able to complain directly to the companies which have deadlines to reply to these complaints. Moreover, European DPAs can refer complaints to the U.S. Department of Commerce and the FTC. In addition, alternative dispute resolution will be free of charge. EU/EEA citizens will also have the possibility to raise any enquiry or complaint in this context with a dedicated new ombudsperson.
The College of Commissioners mandated Vice-President Andrus Ansip and Commissioner Věra Jourová to prepare a draft "adequacy decision" in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the member states of the EU. In the meantime, the US will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new ombudsperson.
The new EU-US Privacy Shield arrangement will provide more legal certainty for EU/EEA companies doing business in the US and from a practical point of view, it is certainly expected (and recommended) that many US companies certified under the US-EU Safe Harbor Framework will certify under the new EU-US Privacy Shield. However, some data protection activists – including Max Schrems who initially brought the US-EU Safe Harbor Framework before the CJEU – do not believe that the new EU-US Privacy Shield arrangement will be sufficient, and it cannot be excluded that the new arrangement will also be challenged at some stage before the CJEU.
The new EU-US Privacy Shield arrangement between the EU and the US will not per se apply to personal data transferred from Switzerland to companies located in the US. However, we expect that Switzerland and the US will, once the new EU-US Privacy Shield arrangement between the EU and the US is in place, negotiate a similar separate arrangement for personal data transferred from Switzerland to recipients located in the US and thus replace the prior US-Swiss Safe Harbor Framework which has been considered “invalid” by the Swiss Federal Data Protection and Information Commissioner in the aftermath of the decision of the CJEU (see our news 22.10.2015). Companies disclosing personal data from Switzerland to the US and companies located in the US receiving personal data from Switzerland should closely watch any developments in this matter, as a potential new “US-Swiss Privacy Shield arrangement” may (again) facilitate crossborder transfers to the US.