After months of intensive negotiations, today (February 2) the European Commission and the United States announced agreement on a new framework for transatlantic data flows: the EU-US Privacy Shield.
This new framework will protect the rights of Europeans where their data is transferred to the United States and provide a path to legal certainty for the thousands of businesses that had previously relied on Safe Harbor for their international data transfers. The framework should be in place within three months.
Addressing the ECJ concerns
The EU-US Privacy Shield addresses the requirements set out by the European Court of Justice in its ruling last October 6 which declared the old Safe Harbor framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. There will also be the creation of a new Ombudsperson to address complaints about possible access by national intelligence agencies.
Vice-President Ansip, European Commission said: “We have agreed on a new strong framework on data flows with the US. Today’s decision…further strengthens our close partnership with the US. We will work now to put it in place as soon as possible.”
While further details of the new framework are still to be released it’s clear that the EU-U.S. Privacy Shield will be robustly monitored with an annual review by the European Commission and the U.S. Department of Commerce. This review will also involve the U.S. national intelligence experts from the U.S. and European Data Protection Authorities.
What happens next?
The European Commission will now draft an “adequacy decision” which would be reviewed by the Article 29 Working Party and then adopted by the Commission after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. Department of Commerce together with the European Commission will continue preparations to put in place the new framework, monitoring mechanisms and new Ombudsman. If agreed before the final adoption of the European General Data Protection Regulation then this adequacy decision would ensure that the Privacy Shield could be a valid method of international data transfers through 2018 and beyond.
There should be further details following tomorrow’s Article 29 Working Party meeting and in subsequent briefings by the Department of Commerce on what requirements will be necessary for companies to stay compliant until the Privacy Shield is in place. The TRUSTe EU Data Privacy Transfer Assessment package will ensure you’re compliant with each of these requirements once they’re made available.