The European Commission, EU governments, and the U.S. government were to find political, legal, and technical solutions by January 31, 2016 enabling legally compliant data transfers between the U.S. and Europe as stipulated by the CJEU ruling. The negotiators exceeded the deadline somewhat and announced yesterday, on February 2, 2016, that an agreement
had been reached. According to EU Justice Commissioner Vera Jourová and the Commissioner for the Digital Single Market Andrus Ansip, it will still take a few weeks, however, until the agreement evolves into sound legal basis. The new framework will be known by the somewhat unwieldy term of “EU-US Privacy Shield”.Key points of the agreement
According to the Commissioner for Justice and the Commissioner for the Digital Single Market, the new arrangement will include the following key elements in relation to the data transfer between Europe and the U.S.:
What happens now?
- Obligations on companies: Initially, companies will commit – as in the Safe Harbor Agreement – to maintain effective data protection rules. These commitments must be published and are thus enforceable under U.S. law. In addition, data subjects are given the possibility of complaining directly to the company, whereupon such company undertakes to remedy any privacy violations. The companies are subject to strict supervision by the Federal Trade Commission
- Redress possibilities: A multi-level complaint and escalation procedure for EU citizens will be introduced to resolve cases of non-compliance with the commitments by U.S. companies. In the end, judicial review should be possible in exceptional cases as well.
- Penalties: Companies that are violating rules for data protection compliant processing are subject to fines.
- Rights of the European supervisory authorities: U.S. companies undertake to accept decisions issued by the European supervisory authorities and to implement them accordingly.
- Transparency: The U.S. guaranteed their European counterparts that intelligence agencies and courts would be subject to strict conditions and oversight when accessing data of European citizens. There will be no mass surveillance of European citizens. Any access will be limited to individual cases. In cases of non-compliance, EU citizens may file a complaint with a new Ombudsperson.
- Annual review: There will be an annual joint review in order to monitor the effective implementation of the new arrangement. In Europe, an annual report will be published.
It should be noted that this framework reached at the political level is yet to be transferred into a valid agreement in the weeks to come. To date, there is only a statement of intent. It remains open in which form the data transfer with the U.S. will be regulated in the future. The EU Commissioners have only addressed a “new arrangement” so far. The U.S. has, however, already committed to initiate steps for implementing the agreements reached. It remains to be seen to what extent the U.S. authorities feel bound to the commitments in the next few weeks.
The EU Commission will prepare a draft “adequacy decision” in the coming weeks. The Commission would then use such a decision to certify an adequate level of data protection to the “EU-US Privacy Shield”.
The German Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff
the announcement by the European Commission. It would still be necessary to examine whether the new framework in fact complies with the requirements stipulated by the CJEU ruling and meets the necessary guarantees for legally compliant data transfer to the US.
The first critics of the new arrangements have already voiced their opposition on the Internet. Among others, the former Federal Commissioner for Data Protection and Freedom of Information (from 2003 to 2013) Peter Schaar
already made critical comments with regard to the new rules
. In particular, he considers the judicial protection of EU citizens not to be far-reaching enough.
The Article 29 Working Party
has issued a statement
on Wednesday February 3, 2016. It welcomes the conclusion of the negotiations between the EU and the U.S. and looks forward to receive and review the relevant documents. According to the Article 29 Working Party the new agreement will have to safeguard the following essential guarantees for intelligence activities:
- A. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
- B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
- C. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
- D. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.
The Article 29 Working Party has set a new deadline
until the end of February
for the EU Commission to communicate all relevant documents to the Article 29 Working Party for review. Until than the Article 29 Working Party considers that the other existing transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules can still be used for personal data transfers to the U.S.
The decision of the Article 29 Working Party is good news for all companies that are currently relaying on Standard Contractual Clauses and Binding Corporate Rules for their data transfers to the U.S. However, the decision is not binding for national data protection authorities. It will therefore remain interesting as regards data transfers to the U.S., and businesses should monitor developments closely in order to react in time and to adjust their data transfers. Of course, we will keep you informed of further developments.