The European Commission today issued the legal texts that will put in place the EU-U.S. Privacy Shield and a Communication summarising the actions taken over the last years to restore trust in transatlantic data flows since the 2013 surveillance revelations. In line with President Juncker's political guidelines, the Commission has (i) finalised the reform of EU Data protection rules, which apply to all companies providing services on the EU market, (ii) negotiated the EU-U.S. Umbrella Agreement
ensuring high data protection standards for data transfers across the
Atlantic for law enforcement purposes, and (iii) achieved a renewed
sound framework for commercial data exchange: the EU-U.S. Privacy Shield.
The
Commission also made public today a draft "adequacy decision" of the
Commission as well as the texts that will constitute the EU-U.S. Privacy Shield.
This includes the Privacy Shield Principles companies have to abide by,
as well as written commitments by the U.S. Government (to be published
in the U.S. Federal Register) on the enforcement of the arrangement,
including assurance on the safeguards and limitations concerning access
to data by public authorities.
Vice-President Ansip said:...
"Now
we start turning the EU-U.S. Privacy Shield into reality. Both sides of
the Atlantic work to ensure that the personal data of citizens will be
fully protected and that we are fit for the opportunities of the digital
age. Businesses are the ones that will implement the framework; we are
now in contact on a daily basis to ensure the preparation is done in the
best possible way. We will continue our efforts, within the EU and on
the global stage, to strengthen confidence in the online world. Trust is
a must, it is what will drive our digital future."
Commissioner Jourová said: "Protecting
personal data is my priority both inside the EU and internationally.
The EU-U.S. Privacy Shield is a strong new framework, based on robust
enforcement and monitoring, easier redress for individuals and, for the
first time, written assurance from our U.S. partners on the limitations
and safeguards regarding access to data by public authorities on
national security grounds. Also, now that President Obama has signed the
Judicial Redress Act granting EU citizens the right to enforce data
protection rights in U.S. courts, we will shortly propose the signature
of the EU-U.S. Umbrella Agreement ensuring safeguards for the transfer
of data for law enforcement purposes. These strong safeguards enable
Europe and America to restore trust in transatlantic data flows".
Once
adopted, the Commission's adequacy finding establishes that the
safeguards provided when data are transferred under the new EU-U.S. Privacy Shield
are equivalent to data protection standards in the EU. The new
framework reflects the requirements set by the European Court of Justice
in its ruling from 6 October 2015. The U.S. authorities provided strong
commitments that the Privacy Shield will be strictly enforced and
assured there is no indiscriminate or mass surveillance by national
security authorities.
This will be guaranteed through:
- strong obligations on companies and robust enforcement: the
new arrangement will be transparent and contain effective supervision
mechanisms to ensure that companies respect their obligations, including
sanctions or exclusion if they do not comply. The new rules also
include tightened conditions for onward transfers to other partners by
the companies participating in the scheme.
- clear safeguards and transparency obligations on U.S. government access: for
the first time, the U.S. government has given the EU written assurance
from the Office of the Director of National Intelligence that any access
of public authorities for national security purposes will be subject to
clear limitations, safeguards and oversight mechanisms, preventing
generalised access to personal data. U.S. Secretary of State John Kerry
committed to establishing a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State, who will be independent
from national security services. The Ombudsperson will follow-up
complaints and enquiries by individuals and inform them whether the
relevant laws have been complied with. These written commitments will be
published in the U.S. federal register.
- Effective
protection of EU citizens' rights with several redress possibilities:
Complaints have to be resolved by companies within 45 days. A free of
charge Alternative Dispute Resolution solution will be available. EU
citizens can also go to their national Data Protection Authorities, who
will work with the Federal Trade Commission to ensure that unresolved
complaints by EU citizens are investigated and resolved. If a
case is not resolved by any of the other means, as a last resort there
will be an arbitration mechanism ensuring an enforceable remedy.
Moreover, companies can commit to comply with advice from European DPAs.
This is obligatory for companies handling human resource data.
- Annual joint review mechanism: the
mechanism will monitor the functioning of the Privacy Shield, including
the commitments and assurance as regards access to data for law
enforcement and national security purposes. The European Commission and
the U.S. Department of Commerce will conduct the review and associate
national intelligence experts from the U.S. and European Data Protection
Authorities. The Commission will draw on all other sources of
information available, including transparency reports by companies on
the extent of government access requests. The Commission will also hold
an annual privacy summit with interested NGOs and stakeholders to
discuss broader developments in the area of U.S. privacy law and their
impact on Europeans. On the basis of the annual review, the Commission
will issue a public report to the European Parliament and the Council.
Next steps
Now,
a committee composed of representatives of the Member States will be
consulted and the EU Data Protection Authorities (Article 29 Working
Party) will give their opinion, before a final decision by the College.
In the meantime, the U.S. side will make the necessary preparations to
put in place the new framework, monitoring mechanisms and the new
Ombudsperson mechanism.
Following the adoption of the Judicial
Redress Act by the U.S. Congress, signed into law by President Obama on
24 February, the Commission will shortly propose the signature of the
Umbrella Agreement. The decision concluding the Agreement should be
adopted by the Council after obtaining the consent of the European
Parliament.
For more information
EU-U.S. Privacy Shield political agreement press release
Data protection reform press release and Q&A
