EU-US Privacy Shield published
Estimated reading time 4 minutes
The full details of the Privacy Shield Agreement reached between EU Commission and US government officials at the beginning of February 2016 have now been published.
Where we left off
As previously reported, the Privacy Shield Agreement (which was designed to replace the Safe Harbor scheme that was ruled unlawful by the Court of Justice in the European Community (CJEU) last year - see previous article here), provides for:- a US ombudsman to handle complaints from EU citizens about Americans viewing their data without permission;
- written commitments from the US Office of the Director of National Intelligence that EU citizens' personal data will not be subject to mass surveillance;
- a joint annual review to ensure that this new system is working properly;
- EU data protection authorities to work with the Federal Trade Commission to address any flagged problems; and
- companies being barred from making use of this process if they do not comply with privacy safeguards.
Recent developments
The full text of the Privacy Shield Agreement has now been released. The US Department of Commerce has issued letters to the EU Commission explaining what will be required of US companies wishing to adopt the Privacy Shield and how this will be enforced. As with the Safe Harbor Agreement it remains voluntary and companies will self-certify their compliance on an annual basis. Regarding the key issue of mass surveillance by US security agencies, it has been agreed that EU nationals should not be subjected to it, and the redress available to EU nationals in cases of abuse is set out. This includes referral to the new ombudsman function as well as the remedies available under the Judicial Redress Act (see our update here) which has now received Presidential approval.What to expect
There is still some way to go, however, before the arrangements set out in the Privacy Shield Agreement can be regarded as established and lawful under EU law. Most importantly, the EU Commission must formally confirm that the Privacy Shield provides adequate protection for EU nationals’ rights. This will not happen until the Article 29 Working Party (composed of the European Data Protection Supervisor, the European Commission, and representatives of the national data protection authorities), the committee of national data protection authorities from EU member states, and the EU Parliament have all expressed their views, which could take some months. In the meantime, the chair of the Article 29 Working Party has expressed the view that, pending the conclusion of this process, there should be a suspension on enforcement action but this does not have any legal force. Privacy activists however remain sceptical and are reported to be preparing challenges to the CJEU on continuing data transfers to the US. The Presidential Policy Directive 28, issued in January 2014, remains in force and permits US security agencies to collect data in bulk (including that of EU nationals) for 6 purposes:- Detecting and counteracting:
○ certain activities of foreign powers (such as espionage),
○ threats of terrorism,
○ weapon proliferation,
○ cybersecurity threats,
○ threats to U.S. or allied armed forces,
○ transnational criminal threats, including sanctions evasion.
The US Office of the Director of National Intelligence has confirmed that mass surveillance of data for these purposes will remain unaffected and as such, the commitments to the contrary in relation to EU nationals’ personal data will not be applicable in any of these circumstances. We will report further as the EU legislative process progresses.