EU Commission Adopts Data Privacy Shield
The European Commission has adopted an “adequacy decision” which enacts the final version of a planned EU-US “Data Privacy Shield.” The new accord aims to help govern data transfers between the two sides following the invalidation last year of the “Safe Harbour Framework.”
The decision announced on Tuesday brings to a close long-running negotiations to update the previous system, a set of principles known as the “Safe Harbour Framework” which took effect in 2000. The pressure to conclude a new system had rapidly escalated after the European Court of Justice ruled in October that the European Commission decision adopting the earlier framework was invalid.
The October ruling had created significant legal uncertainty for thousands of technology companies that had signed onto the original Safe Harbour Framework, given that they relied on the original Safe Harbour Framework in establishing their terms of service and operating policies. (See Bridges Weekly, 8 October 2015)
Officials on Tuesday said that the new Data Privacy Shield will now provide that legal certainty, along with addressing issues raised in the October ruling.
“The EU-US Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” said Věra Jourová, the EU Commissioner for Justice, Consumers, and Gender Equality.
The EU official also pledged that the accord “will restore the trust of consumers when their data is transferred across the Atlantic,” a sentiment that was echoed by US Secretary of Commerce Penny Pritzker, who was also present for the announcement in Brussels.
“The approval of the Privacy Shield is a milestone for privacy at a time when the sharing of data is driving growth in every sector, from advanced manufacturing to advertising,” Pritzker told reporters.
EU member states had already signed off on the deal last week, setting the stage for the Commission’s announcement on Tuesday. The accord is now active, with US companies able to sign onto it from the beginning of August.
Features of the deal
Under the new framework, US officials have signed onto a series of new requirements aimed at ensuring that companies are both complying with its rules, along with pledging that national security and law enforcement officials will face both restrictions and oversight systems should they seek to access EU data.
Among the Data Privacy Shield’s provisions is the inclusion of various options for individuals should they have concerns over how their data is being used. For example, those individuals can take these concerns either to the company itself, or through so-called “Alternative Dispute Resolution” which the company must provide free of charge.
Other options include raising concerns with their country’s authorities in this area, and even binding arbitration.
As announced in February, the US is also set to create the post of Ombudsperson, a role which would be independent from the country’s national security offices and would instead be housed within the Department of State. This person would be tasked with addressing questions from EU citizens relating to whether data accessed under national security grounds has been done lawfully.
Furthermore, the Data Privacy Shield requires the US and EU to hold annual reviews on how well the system is working, including on “the operation of the national security and law enforcement exceptions to the Principles.” Such “principles” are the terms that US companies must agree to in joining the framework.
The deal foresees the possibility of suspending the Privacy Shield, should the EU find that this new framework is no longer providing an “adequate level of protection” or that actions by US public officials in the areas of national security or law enforcement “do not ensure the required level of protection.”
This would not be immediate, however. Rather, the European Commission would first need to give the US Department of Commerce time to potentially address such issues; should these efforts fail, the EU can then move ahead with suspending or repealing the Data Privacy Shield.
The past several months have seen negotiators race to ink a final deal that can provide legal certainty to both smaller enterprises and big tech giants that engage heavily in digital trade. A political accord between Brussels and Washington was struck in early February, with a draft version of the Data Privacy Shield released shortly thereafter. (See Bridges Weekly, 4 February 2016)
In the months since, the two sides have been revising certain aspects of the deal, incorporating feedback from the so-called Article 29 Working Party, as well as attempting to address issues raised by EU lawmakers over whether the new accord would both be able to withstand legal scrutiny while ensuring that European data is indeed safe from indiscriminate mass surveillance and privacy risks when crossing over to the US.
The Article 29 Working Party is a group including representatives from the EU’s national data protection authorities, as well as the European Commission and the European Protection Supervisor. The group’s focus is on data protection and privacy issues.
Back in April, the working party highlighted a series of areas where the EU executive arm should clarify the terms of the Data Privacy Shield before moving forward.
“These concern elements such as safeguards regarding automated processing, further restrictions on access by public authorities, and effective independent redress,” the group explained.
The working party has withheld its assessment of the final accord, while noting that it intends to review whether the concerns it raised in April have indeed been addressed.
“Once the Commission has adopted the adequacy decision, the Working Party will be in a position to conduct a coordinated analysis of the documents and publish a statement as soon as possible,” said the group earlier this month.