Archive for February, 2016

The European Commission has released a Draft Adequacy Finding as a step towards the finalization of a new EU-US Privacy Shield. The concept of an EU-US Privacy Shield was outlined in an arrangement published on February 2, 2016. The Shield is intended to replace the EU-US Safe Harbor Agreement, which was invalidated in an October 6, 2015 decision of the European Court of Justice.

The Draft Adequacy Finding will now be reviewed, commented upon, revised and finalize by a wide range of EU agencies and officials before being submitted to vote by the EU Parliament and the European Council. This finalization should not occur before several months.

The EU-US Privacy Shield is intended to create stronger obligations for US companies that process the personal data of residents of the European Economic Area than those that were outlined in the EU-US Safe Harbor, adopted in 2000. It is expected to require stronger monitoring and enforcement by the US Department of Commerce and the Federal Trade Commission, including through increased cooperation with the Member States Data Protection Authorities.

The EU-US Privacy Shield is expected to include written commitments and assurances by the United States that any access by public authorities to personal data transferred to the US under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, in order to prevent generalized access. A newly created Ombudsperson mechanism will handle complaints and inquiries in this context.

On February 2, 2016, representatives of the European Commission and the United States agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield. The main elements of the arrangement provide that:

• US companies that wish to receive EU data will be required to commit to stringent obligations on how personal data is processed and individual rights are guaranteed;
• Citizens who think that their data has been misused will have several redress possibilities ;
• Companies will be required to respond to citizens’ complaints within a set timeframe;
• European Data Protection Authorities will have the ability to refer complaints to the US Department of Commerce and the Federal Trade Commission;
• Alternative Dispute resolution will be free of charge;
• Access by U.S. law enforcement to personal data transferred under the EU-US Privacy Shield will be subject to clear conditions, limitations and oversight mechanisms, preventing generalized access;
• Complaints on possible access by national intelligence authorities will be referred to an Ombudsperson;
• The implementation of the arrangement – including the restriction to law enforcement access to data – will be subject to annual joint reviews. The European Commission and the U.S. Department of Commerce will conduct the reviews and invite US national intelligence experts and European Data Protection Authorities to participate.

The College of EU Commissioners, which approved the final terms of the arrangement, has mandated Vice-President Ansip and Commissioner Jourová to prepare a draft “adequacy decision” in the coming weeks clarifying the elements of the EU-US Privacy Shield.

Once the document has been finalized, it will be submitted to approval by the College of Commissioners. The Article 29 Working Party and a committee composed of representatives of the Member States will also be consulted. In the meantime, the U.S. will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.