As a follow up to the European Court of Justice Schrems decision of 6th October 2015, the EU and the US have managed to negotiate a fast track a new agreement called the EU-US Privacy Shield meant to replace the disgraced Safe Harbour agreement.
According to the European Commission, the EU-US Privacy Shield addresses the key Safe Harbour concerns raised by the Court:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement: US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European data regulators.
- Clear safeguards and transparency obligations on US government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms – which should prevent the Snowden scandal from repeating itself. Exceptions to privacy must be used only to the extent necessary and proportionate. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. The European Commission and the US Department of Commerce will conduct annual reviews of the functioning of the agreement and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies will have to reply to complaints in given deadlines, and EU Member States’ data watchdogs will be able to refer complaints to the US Department of Commerce and the Federal Trade Commission. In addition, ADR will be offered free of charge. For complaints on possible access by national intelligence authorities, a new ombudsperson will be created.
You can find more resources on EU-US privacy and EU data protection developments in our Knowledge Centre.
Latest posts by Bostjan Makarovic (see all)
- ‘GDPR practitioner’ ? I prefer ‘privacy professional’ instead - July 18, 2017
- Why appointing Data Protection Officer is not the first step in GDPR compliance - July 6, 2017
- GDPR adaptation – what does it comprise? - June 15, 2017