After months of negotiations, on February 2, 2016 the European Commission and the United States have finally reached an arrangement on a new framework for transatlantic data flows replacing the invalidated Safe Harbor agreement.
The Vice President of the European Commission, Andrus Ansip, and the European Commissioner for Justice Věra Jourovà have been mandated to prepare the next steps to put in place the new framework in the next few months. Commissioner Jourovà stated that the implementation of the new framework would take about three months.
Key elements of the “EU-US Privacy Shield”
The focus of the announcement was on three key elements:
– Strong obligations on US companies importing European’s personal data: US importers will have to commit to robust obligations on how personal data is processed and individual rights are guaranteed; the Department of Commerce will monitor that US companies publish their commitments; companies handling human resources data from Europe will also need to comply with decisions of European data protection authorities.
– Clear safeguards and transparency obligations on US Government access to data: the United States gave written assurances that the access to the data for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms; an annual joint review between the European Commission and the United States Department of Commerce will be conducted in order to monitor the implementation of these obligations.
– Effective protection of European’s individual rights with the implementation of several redress mechanism: any European citizen who considers that its personal data has been misused will have the following redress options:
a. Filing a complaint directly to the importer companies (companies have reply deadlines);
b. Filing a complaint to the relevant European data protection authority. The authority can refer the complaint to the Department of Commerce and the Federal Trade Commission;
c. Alternative dispute resolution mechanism (free of charge);
d. Finally, for complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
The European Commission Vice President and the European Commissioner for Justice must prepare a draft “adequacy decision” in the next few weeks.
Once drafted, the adequacy decision will be submitted to the Article 29 Working Party (made up of a representative from the data protection authority of each EU Member State) who will advise the European Commission.
During this period, the United States will have to put in place the agreed privacy safeguards.
Florence Chafiol, Partner – August & Debouzy