New "EU-US Privacy Shield" for the transfer of EU personal data to the US

News Newly proposed “EU-US Privacy Shield” arrangement should provide an adequate level of protection for transfer of EU personal data to the US.

On 2 February 2016, the European Commission announced that a new agreement was reached with the US Department of Commerce that would allow for the transfer of personal data of EU citizens to the US.

In our earlier analysis we discussed the legal consequences of the Schrems ruling of the European Court of Justice on 6 October 2015, which declared the old EU-US Safe Harbor arrangement with regard to the transfer of EU personal data to the US invalid.

This new “EU-US Privacy Shield” is intended to replace the “Safe Harbor Framework” and aims to answer to the wider concerns raised by the European Court of Justice on the lack of safeguards and adequate protection for the data of EU citizens in the US. Concerns that made businesses that transfer EU personal data to the US operate in a legal vacuum.

The new arrangement includes:

  • Any EU citizen who considers that their data has been misused will have several redress possibilities. 

    US Companies have deadlines to respond to complaints. 

    European data protection authorities can refer complaints to the Department of Commerce and the Federal Trade Commission and a new Ombudsperson in the US will be created to deal with specific complaints.
  • US companies wishing to import personal data from the EU will need to commit to robust obligations on how personal data is processed and individual rights, such as the right to privacy, are guaranteed.
  • In addition, the US has given the EU written assurances that the access of public authorities for law enforcement and national security to data will be limited and proportionate.
  • This arrangement will be subject to an annual joint review.

However, at this stage an official legal text is not yet available.

In the coming weeks negotiations will take place on the implementation of this political agreement into a Commission "adequacy decision". This will occur, in any event, after consulting and obtaining the advice of the Article 29 Working Party, an independent advisory body composed of representatives from all national privacy protection authorities in the EU, the European Data Protection Supervisor and the European Commission. 

In principle implementation could follow by April 2016.

In the meantime, the alternative mechanisms for the transfer of EU personal data from the EU to the US, such as standard contractual clauses (SCC’s) and the binding corporate rules (BCR’s) can still be used. 

An application of the old Safe Harbor Framework is not recommended.

To be continued...