EU-US Privacy Shield: the new Safe Harbour

Following on from the European Court of Justice’s ruling in the Schrems case on 6th October 2015, which declared the Safe Harbour arrangement to be invalid, the European Commission and the United States have agreed on a new framework for transatlantic data flows, to be known as the EU-US Privacy Shield. This new framework is intended provide stronger protection for the fundamental rights of Europeans where their personal data is transferred to the United States. 

3 February 2016

Following on from the European Court of Justice’s ruling in the Schrems case on 6th October 2015, which declared the Safe Harbour arrangement to be invalid, the European Commission and the United States have agreed on a new framework for transatlantic data flows, to be known as the EU-US Privacy Shield. This new framework is intended provide stronger protection for the fundamental rights of Europeans where their personal data is transferred to the United States. 

The EU-US Privacy Shield will provide for the following:

  • US companies intending to import personal data from the EU must commit to obligations on how data is processed and how individual rights will be guaranteed;
  • Enforcement will be the responsibility of the US Department of Commerce, which will require companies to publish their commitments. Once published these commitments will be enforceable under US law by the US Federal Trade Commission;
  • Indiscriminate mass surveillance by the US government on the personal data transferred to the US has been ruled out;
  • The US Office of the Director of National Intelligence will give the EU written assurances that access to data of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions will be subject to tests of necessity and proportionality;
  • Greater redress for citizens will be secured as companies will be given deadlines to respond to complaints; EU Data Protection Authorities will be able to refer complaints to the Department of Commerce and the Federal Trade Commission; and a new Ombudsman will be created for citizen complaints that concern access to data by national intelligence authorities;
  • Any company handling European human resource data must commit to complying with decisions of EU Data Protection Authorities; and
  • There will be an annual joint review of the success of the new framework, which will include the issue of national security access.

Next Steps
Vice-President Ansip and Commissioner Jourová will now prepare a draft “adequacy decision” for the College of Commissioners, who will obtain advice from the Article 29 Working Party and will also hold consultations with a committee of representative member states prior to the adoption of such decision. In conjunction with this, the US will embark upon preparations to put in place the new framework, monitoring mechanisms and Ombudsman.

Initial reaction to these measures by commentators suggests that the new framework may not be adequate and that judicial challenges in the ECJ and US are to be expected. It will certainly be a case of “watch this space” in 2016 to see how this area develops.