Yesterday the European Commission announced that the new agreement between the European Union and the United States on European data flowing into the United States has been approved. After months of negotiations, the deal was enthusiastically announced as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses” that “brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints” in the words of Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality.
Ever since the 2015 Court of Justice of the European Union (“CJEU”) landmark decision that put an end to the Safe Harbour system (i.e., the previous agreement regarding EU-US data flows), the US and the EU had negotiated for about 2 years in the attempt to create a system that aims at reassuring European citizens and creating clarity for United States businesses. An initial agreement on the Privacy Shield was already reached in February, and heavily criticized by the association of European data protection authorities named “Article 29 Working Party” (as we covered in our blog). Allegedly, the European Commission has taken note of such criticism and added additional clarifications and improvements to the draft.
Here are the main features of the Privacy Shield, as set forth in the Commission’s fact sheet:
- The U.S. Department of Commerce will register U.S. companies under the Privacy Shield if they commit to process personal data in accordance with certain compliance standards. It will also conduct regular updates and compliance reviews of participating companies, and companies who do not comply face sanctions and removal from the Privacy Shield list.
- U.S. government’s access to personal data for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. There will be no indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement.
- EU data subjects will, also for the first time, benefit from redress mechanisms in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State independent from the US intelligence services.
- In case of processing of personal data in breach of the Privacy Shield, EU data subjects will have access to several dispute resolution mechanisms: (i) redress by the data controller, (ii) free of charge alternative dispute resolution solutions, (iii) complaints submitted to their national Data Protection Authorities, who will work with the U.S. Federal Trade Commission to resolve complaints, (iv) arbitration mechanism.
- The functioning of the Privacy Shield will be monitored and a public report to the European Parliament and the Council will be issued.
The one million dollar question is: will the Privacy Shield hold?
The CJEU may struck it down in the future and privacy groups will undoubtedly test the waters with new cases. If this happens, some predict that there will not be any further attempt to create another “Safe Harbor” or “Privacy Shield”. As Mark Scott of the New York Times puts it: “The European Commission, the executive arm of the European Union, and the United States Department of Commerce spent years negotiating the new deal. If it were eventually overturned in court, few companies or privacy experts would have faith that either side could do any better the next time around”.