European Union starts process to adopt adequacy decision for safe data flows with the U.S.
The European Commission has launched the process to enable continued data transfers from the European Union to the United States, which existed under the EU-U.S. Privacy Shield. In its decision, the European Commission has recognized that the United States provided adequate protection for personal data transferred from the E.U. to U.S. companies which were certified under the Privacy Shield mechanism. The Privacy Shield replaced the Safe Harbor framework, which was declared invalid by the European Court of Justice in October 2015 due to its lack of adequate protections for personal data transferred from the EU Member States to companies located in the U.S. that do not have an adequate level of protection for such data under EU law.
The European Commission has considered whether the United States provides adequate protection for personal data.
The existence of a framework for transferring data from the EU to the U.S. is dependent on whether the EU Commission considers that the United States provides adequate protection for personal data transferred to U.S. companies. Previously companies were certified under the Privacy Shield mechanism. The previous framework was invalidated by the European Court of Justice in 2015, following a complaint by Austrian lawyer Max Schrems alleging that Facebook was not complying with European privacy laws when it transferred its data across the Atlantic and processed it at its U.S. headquarters.
The new arrangement will create stronger obligations on companies in the U.S. to protect Europeans’ data.
The new arrangement will create stronger obligations on companies in the U.S. to protect Europeans’ data and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. It includes commitments by the U.S. that are more stringent than under the current E.U. data protection law, covering areas such as government access, national security, information integrity, transborder data flows, redress, supervision and enforcement. It will also include fiduciary duties of processors, onward transfers, children’s personal information, and automated individual decision-making including profiling.
A new mechanism will provide redress avenues that are easier to use than ever through several accessible and affordable dispute-resolution mechanisms.
The new mechanism is expected to provide redress avenues in this area that are easier to use than ever before through several accessible and affordable dispute-resolution mechanisms. These include Ombudsperson mechanisms, which a company can use to investigate complaints related to data protection. Alternative dispute resolution (ADR) schemes will allow companies and individuals to seek early resolution of disputes while they are still in their early stages. In addition, binding arbitration will allow parties to take their case out of the court system through impartial third-party arbitrators who make decisions based on law rather than emotion or bias. There are many ways to address data privacy issues, and companies must make use of the tools they have at their disposal. The new mechanism is expected to provide a useful framework for companies looking to improve their approach to data protection while transferring to third countries.