The European Commission launches the EU-U.S. Privacy Shield

On 12 July 2016, the European Commission adopted a new arrangement for international exchanges of data between the United States and the European Union, namely, the “Privacy Shield”.

The need for this new framework arose from the judgment rendered by the CJEU last October in the Schrems case. In its decision, the European Court pointed out the serious deficiencies in the previous “Safe Harbor” arrangement, to the extent that it was ruled invalid. [see our article on Safe Harbor]

In that regard, in February 2016 it was announced that there would be a new framework that would provide the necessary guarantees for the transatlantic flow of EU citizens’ personal data.  Just this month, the French data protection authority (the Commission Nationale de l’Informatique et des Libertés –CNIL-) asked Facebook to stop compiling the data of users who did not have an account with the social media site and to stop transferring that data to the U.S., thus creating a growing awareness of transatlantic data transfers throughout the whole of Europe.   

For this reason, this new arrangement has been in the spotlight in a number of sectors ever since it was conceived.

The final wording of the arrangement seeks to reflect the following principles: 

• Robust obligations on companies that handle data
• Transparency and clear safeguards on U.S. government access                
• Effective protection of individual rights
• Annual joint review mechanism              

Those principles will be implemented by the following means: U.S. companies handling European citizens’ data will have to register to be on the “Privacy Shield” list and self-certify that they meet the standards set out by the arrangement; there will also be dispute resolution mechanisms that may be accessed by citizens who consider their rights to have been violated within the context of this system; and there will be cooperation between the European Commission and the U.S. Department of Commerce.                                        

The above measures merely seek to ensure an adequate level of protection of the personal data of EU citizens, as well as assurances for U.S. companies which, as market operators, handle that data. 

The adequacy decision is now in force, though U.S. companies will not be able to register to be on the aforementioned list until 1 August 2016. As regards EU citizens, the European Commission has announced that it will be publishing a guide to help get complaints procedures against companies underway.  For the time being, information has been provided in FAQ format along with the press release.

As is typically the case where such momentous issues are concerned, the terms of this new arrangement have been subject to heavy debate.

Figures such as the Euro MP Jan–Philipp Albrecht consider that although the arrangement might, at first glance, appear to provide guarantees, the practical application of its mechanisms could render it meaningless.  He highlights the intricate and complex nature of the rules for legal redress for unauthorised use of citizens’ personal data due to the large number of intermediaries involved, such as arbitration bodies and national authorities.  Also, a number of sectors have pointed out that the wording concerning mass surveillance echoes the “Safe Harbor” framework almost word for word.

It should nevertheless be noted that the “Privacy Shield” has been tweaked throughout the drafting process to accommodate the suggestions and opinions of the many authorities on the subject, such as the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor.  

This provides another tool to promote trade between the European Union and the United States, one that is based on a vision that offers more guarantees as far as citizens’ rights are concerned.

Authors: Fernando Díaz y Martín Bello

Visit our website: http://www.elzaburu.es/en