U.S. and EU agree to new data protection pact
After two years of negotiations, the European Commission and the U.S. Department of Commerce recently reached an agreement for a new framework for transatlantic exchanges of personal data for commercial purposes.
The new arrangement, entitled the EU-US Privacy Shield, will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European data protection authorities.
The new arrangement includes written commitments and assurance by the U.S. that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, thereby preventing generalized access.
The new agreement will include sanctions or exclusion if U.S. companies do not comply. The new rules also include tightened conditions for onward data transfers to other partners by the companies participating in the scheme.
Under the agreement, the U.S. government has given the EU written assurance from the Office of the Director of National Intelligence that any data access by public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
U.S. Secretary of State John Kerry committed to establishing a redress possibility in the area of national intelligence for Europeans through an ombudsman within the State Department, who will be independent from national security services. The ombudsman will follow-up complaints and inquiries by individuals and inform them whether the relevant laws have been complied with. All the written commitments will be published in the U.S. Federal Register.
The agreement also attempt to provide effective protection of EU citizens’ rights through an alternative dispute resolution system. EU citizens can also go to their national data protection authorities, who will work with the U.S. Department of Commerce and Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved.
Due to legislative changes, EU citizens will also have access to U.S. courts to enforce privacy rights in relation to personal data transferred to the U.S. for law enforcement purposes. EU citizens are reminded that intelligence agencies will continue to carry out bulk data collection despite the new agreement.
The new pact is designed to replace the old “Safe Harbour” arrangement, which was struck down by the Court of Justice of the European Union (CJEU).
The EU-US Privacy Shield will not come into force until the European Commission has adopted an “adequacy finding” which declares that the data safeguards provided under the new scheme are equivalent to data protection standards in the EU.