On the 2nd of February, the European Commission and the United States reached an agreement on a new framework for transatlantic data flows, replacing the old Safe Harbour framework, which has been invalid since the 6th of October, 2015.
Thanks to this new agreement, companies in the U.S. are now subject to stronger obligations to protect the personal data of Europeans, as well as more stringent monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC). Better cooperation with European Data Protection Authorities will also start being enforced.
EU data protection laws dictate that EU citizens’ personal information cannot be shared with countries deemed to have less than stringent privacy regulations, such as the US, but Safe Harbour allowed some data to circumvent these restrictions to be transmitted across the Atlantic.
More than 4,000 companies, including tech giants Amazon, Facebook and Google, were reliant on the previous 15-year-old legislation. Concerns about US state surveillance prompted a renegotiation of the agreement before it was deemed invalid.
The important facts
- The scheme “EU – US Privacy Shield” replaces the Safe Harbor scheme, and will be administered by the US Department of Commerce. European and U.S. representatives will oversee the process and the timing for the transition from Safe Harbor to the new scheme.
- An organization under the new scheme will be able to import personal data from Europe to the U.S., provided that the reason for this is explicitly stated, and they comply to the new enhanced requirements. Existing restrictions concerning onward transmission of personal data from the US to other countries will be tightened.
- Every organization claiming that they comply with the new scheme will be subject to regular monitoring and reviews by the U.S. Department of Commerce. Failing to comply with these commitments will result in sanctions by the U.S. Federal Trade Commission and possibly being removed from the scheme completely.
- An individual has the right to file a complaint free of charge, with any organization adhering to the EU – US Privacy Shield scheme. This complaint must be considered within a limited timeframe in the first instance, with the individual having the possibility of referring to their European data protection authority, who in turn may decide to refer it to the U.S. Department of Commerce and Federal Trade Commission. The U.S. authorities will be required to investigate and resolve the complaint within a reasonable but limited timeframe.
- A written assurance to the European Union will be provided by the US Director of National Intelligence, stating that access to personal data about European citizens will only occur to the extent it is necessary and proportionate, namely for national security and law enforcement purposes.
- The Judicial Redress Act must be passed by U.S. Congress so that European citizens will hold the same rights of redress as U.S. citizens when it comes to unlawful access of their personal data by U.S. public bodies.
- The European Commission and U.S. Department of Commerce will perform a joint annual review of the functioning and compliance with the new scheme.
- The EU-U.S. Privacy Shield scheme is anticipated to be fully implemented in May 2016.
This article was influenced by Telehouse’s feature on the EU-US Privacy Shield