Business on the front line as European Commission details Privacy Shield plans to protect citizen data in deal with the US

The European Commission today issued guidance on the legal texts that will put in place the EU-U.S. Privacy Shield and a Communication summarising the actions taken over the last years "to restore trust in transatlantic data flows since the 2013 surveillance revelations."

With a set of next steps involving consultation with member states the EC gave details of its umbrella agreement negotiated with the US which includes the right to seek ombudsman ruling where US authorities access information and stricter conditions on passing on information to third parties.

The Commission said it had finalised the reform of EU data protection rules which apply to all companies providing services on the EU market, it negotiated the EU- US Umbrella Agreement "ensuring high data protection standards for data transfers across the Atlantic for law enforcement purposes" and said it achieved a renewed framework for commercial data exchange: the EU-US privacy shield.

Phil Lee, partner at Fieldfisher and a data protection specialist who is based in Palo Alto and works with US companies on their European data issues, said: "Like Safe Harbour, the Privacy Shield relies on companies self-certifying their compliance. That’s sure to be controversial – Safe Harbour didn’t have a good track record of self-certified companies complying with the commitments they made. Privacy Shield is, essentially, an amped-up version of Safe Harbour: it builds of very similar principles, but adds more details and controls. In many ways it bears a lot of similarities to Binding Corporate Rules, except that it relies on self-certification rather than regulatory authorisation and only allows transfers to the US rather than worldwide".

In a statement the Commission also made public today a draft "adequacy decision" and the texts that will constitute the EU-U.S. Privacy Shield. This includes the Privacy Shield Principles companies have to abide by, as well as written commitments by the U.S. Government (to be published in the U.S. Federal Register) on the enforcement of the arrangement, including assurance on the safeguards and limitations concerning access to data by public authorities.

Commission Vice-President Ansip said: "Now we start turning the EU-U.S. Privacy Shield into reality. Both sides of the Atlantic work to ensure that the personal data of citizens will be fully protected…Businesses are the ones that will implement the framework."

And EU Commissioner said: "The EU-U.S. Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds. Also, now that President Obama has signed the Judicial Redress Act granting EU citizens the right to enforce data protection rights in U.S. courts, we will shortly propose the signature of the EU-U.S. Umbrella Agreement ensuring safeguards for the transfer of data for law enforcement purposes. These strong safeguards enable Europe and America to restore trust in transatlantic data flows".

The U.S. authorities provided strong commitments that the Privacy Shield will be strictly enforced and assured there is no indiscriminate or mass surveillance by national security authorities.The EC said this will be guaranteed through "strong obligations on companies and robust enforcement: the new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. The new rules also include tightened conditions for onward transfers to other partners by the companies participating in the scheme."

For the first time, the U.S. government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data.

Effective protection of EU citizens’ rights with several redress possibilities: Complaints have to be resolved by companies within 45 days. A free of charge Alternative Dispute Resolution solution will be available. EU citizens can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved.

If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism ensuring an enforceable remedy. Moreover, companies can commit to comply with advice from European DPAs. This is obligatory for companies handling human resource data.

There is call for the establishment of an annual joint review mechanismto monitor the functioning of the Privacy Shield. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. On the basis of the annual review, the Commission will issue a public report to the European Parliament and the Council.

Next steps
Going forward a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision by the College. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.