European Commission Vice President, Andrus Ansip, and the European Union’s Commissioner for Justice, Vera Jourová, announced that after “tough” negotiations, the United States and the European Union have agreed upon a new framework for transatlantic data flows. This “EU-US Privacy Shield” has been given the green light by the College of Commissioners. Jourová said the framework will satisfy the European Court of Justice’s Schrems decision by protecting the fundamental rights of Europeans and allowing for continuous review of the arrangement. The new arrangement includes three key elements:
Safeguards and Transparency Obligations for U.S. Government Access to Data
The U.S. has provided the E.U. “binding written assurances” that government access to personal data transferred to the U.S. is subject to clear limitations, safeguards, and oversight.
- U.S. law enforcement and national security access to data will be subject to limitations, safeguards, and oversight.
- Surveillance will be limited to that which is necessary and proportionate. The U.S. has indicated it will not conduct “indiscriminate mass surveillance” on the data transferred to the U.S. under this new framework.
- The European Commission and U.S. Department of Commerce will conduct annual reviews to evaluate the arrangement, including with respect to surveillance. European Data Protection Authorities (DPAs) and U.S. intelligence experts may attend the reviews. Jourová indicated the reviews will help ensure the U.S. is held accountable to its assurances.
Obligations on Companies Handling Personal Data Coupled with Enforcement
American companies that import personal data from the EU must commit to comply with strong obligations regarding the processing of such data.
- The Department of Commerce will actively monitor companies’ compliance with such commitments, and the Federal Trade Commission retains enforcement authority.
- Companies may face sanctions and removal from the program for non-compliance.
- Onward transfers will be subject to certain conditions.
- Companies processing human resources data must comply with decisions by European DPAs.
Redress Mechanisms for EU Citizens
EU citizens have several avenues for redress if they believe their data has been misused.
- First and ideally, the U.S. company in question will resolve the complaint itself. Companies will have deadlines by which they must respond to complaints under the arrangement.
- Second, EU citizens can seek dispute resolution through the EU DPAs, which can refer complaints to the Federal Trade Commission and Department of Commerce to investigate and resolve complaints within a reasonable time frame.
- If complaints are not resolved by the company or the Federal Trade Commission and Department of Commerce, as a last resort, a free arbitration mechanism will be available.
- A new U.S. official, the Ombudsperson, will address complaints regarding access to data by national intelligence authorities.
- The Judicial Redress Act, if passed in the United States, will provide European citizens access to U.S. courts with respect to data used for national security purposes.
Jourová will brief the EU DPAs regarding the new arrangement at their meeting in Brussels on February 3rd. Following that, Jourova’s team will draft an adequacy decision for approval by the College of Commissioners, following advice from the Article 29 Working Party and a committee of Member States. Simultaneously, the U.S. will formalize the new framework and put in place monitoring mechanisms and the new Ombudsman. Jourová estimated finalizing the arrangement will take approximately three months and the first annual review would occur in 2017.
