Following the 2015 decision of the Court of Justice of the European Union in the Schrems case, where it held that Commission Decision 2000/520/EC in respect of safe harbour was invalid under data protection laws, transfers of personal data from the European Union to the United States came further under the spotlight. The Court’s decision coming following a period of intense anxiety in the European Union as to the lack of basic protection given to personal data under United States law.
The European Commission, itself having expressing anxiety with the failures of the US to adequately protect EU citizens’ data as far back as 2013, entered into negotiations over two years ago with the US authorities to find a replacement for the safe harbour agreement.
Looking to find a suitable way forward that balanced the privacy rights of European citizens with the necessity of means for business to use and store data in the United States, the European Commission adopted the EU-US Privacy Shield Framework on 12th July 2016.
Compared to the safe harbour framework the new privacy shield features:
- Enhanced data protection obligations on US companies receiving personal data from the EU
- Written commitments and assurance by the US that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access;
- New means of redress for individuals, including the establishment of an “ombudsperson” in the US State Department who will address privacy-related questions and complaints from people in the EU;
- Strict commitments to delete data that no longer serves the purpose for which it was collected; and
- The ability of EU citizens to pursue legal remedies through private causes of action in US state courts, including private causes of action for misrepresentation and similar types of claims.
Individuals may bring a complaint directly to a Privacy Shield participant and the participant must respond to the individual within forty-five days.
Privacy Shield participants must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
In addition to the above, the new framework implements an annual joint EU/US review to monitor the implementation.
Furthermore the US Office of the Director of National Intelligence has agreed to give written commitments that EU citizens’ personal data will not be subject to mass surveillance
Under the Privacy Shield, American companies will be able to “self-certify” that they follow the privacy principles outlined in the framework. The agreement establishes an ombudsperson’s office in the US State Department who will address privacy-related questions and complaints from people in the EU.
The privacy shield immediately becomes effective in the EU. In the US, the adopted Privacy Shield text will be published in the Federal Register and the Department of Commerce will begin implementing the framework. From 1st August 2016, US companies will be able to self-certify as members of the Privacy Shield.
Despite the enhanced safeguards promised by the new framework it is likely that the matter will be litigated before the European courts as anxiety over US failure to adequately safeguard EU citizens’ data is likely to continue. The promised certainty that the new framework offers to business and individuals alike may prove elusive.
Seán O’Halloran – Trainee Solicitor, JRAP O’Meara