On February 2, 2016 the European Commission announced in a press conference in Strasbourg to have found a political agreement with the US authorities to allow the transfer of personal data from UE to US. The agreement, named “US/UE Privacy Shields” (the hashtag is already a star in the web, and in Twitter in particular) will replace the Safe Harbor agreement invalidated by the Eu Court of Justice last October 2015.
The enthusiasm by European authorities and corporations (US in particular) following this announcement is well comprehensible. In fact, after the annulation of the Safe Harbor Agreement, the entire UE/US business fall into a serious uncertainty, with the national data protection authorities being empowered to chase whoever and whatever involved in transatlantic business. The problem is dramatic because a huge amount of businesses rely on the transfer of data from UE to US: to make an example, most of European retailers use US platform to bill their clients, therefore without a clear data transfer framework most if such businesses are impaired, even if they refer to trade within the UE.
Nevertheless, it is still too early to predict whether the announced agreement will solve the pending problems. The announcement concerns just principles, while the precise details of the new framework need to be further negotiated, and then incorporated into a final European decision (a so-called “adequacy decision”). In addition, most of the commendable obligations required upon the US authorities should be confirmed in writing. Not surprisingly, the announcement of the Commission was followed by skeptical reactions by various top characters of the #SafeHarbor novel, such as Mr. Scherms, the Austrian guy who started there entire matter with the recourse to the European court, MEP Albrecht, the rapporteur of the new European data protection regulation, and even Mrs Reding, the former EU Commissioner who started the reform of data protection in the EU.
One could say that the main scope of this announcement to gain some time, since the national data protection authorities granted to the Commission a 3-months period (expiring at the end of January 2016) before the national data protection authorities start to investigate (and eventually impose sanctions) into the EU-US data flow business. If it is, we could say that the escamotage worked, since the Article 29 Working Group (basically the bodies representing the data protection authorities) has welcomed the political agreement and encouraged the Commission to go ahead (although no evaluation on the merits has been given, since precise details are not fixed yet). However, the chief of the French data protection authority has been much more clear, by stating that “we can’t just accept words on privacy shield”.
Thus, it is still unclear whether this agreement will solve the crisis or will just open a new round trip to the European Court of justice. Some parts of the announcement seem to disclose important progress from the uS side, such as:
“For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms“.
Mass surveillance and unlimited access to personal data are a crucial matter between UE and US: it is a delicate legal issue – being the main ground referred by the European court to invalidate the Safe Harbor agreement – but also a matter for political discussion, following the Snowden/NSA scandal.
The further steps will not be easy at all: Vice-President Ansip and Commissioner Jourová will prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of the European Commission after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. department will make the necessary preparations to put in place the new framework with the obligations of their side.
As regard the main part of the agreement, here an extract from the PR of the Commission:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.