Cross-border transfers are used in many industries for sharing employee information or when consumer data is shared to complete credit card, travel or e-commerce transactions.
They are also key to web companies that collect personal information about their users and serve them targeted ads, such as Facebook and Google.
The Privacy Shield will give Europeans a way to complain about U.S. agents' access to data transferred under the framework.
The European Commission today annoonced that it has (i) finalised the reform of EU Data protection rules, which apply to all companies providing services on the EU market, (ii) negotiated the EU-U.S. Umbrella Agreement ensuring high data protection standards for data transfers across the Atlantic for law enforcement purposes, and (iii) achieved a renewed sound framework for commercial data exchange: the EU-U.S. Privacy Shield.
The Commission also made public today a draft "adequacy decision" of the Commission as well as the texts that will constitute the EU-U.S. Privacy Shield. This includes the Privacy Shield Principles companies have to abide by, as well as written commitments by the U.S. Government on the enforcement of the arrangement, including assurance on the safeguards and limitations concerning access to data by public authorities.
Vice-President Ansip said: "Now we start turning the EU-U.S. Privacy Shield into reality. Both sides of the Atlantic work to ensure that the personal data of citizens will be fully protected and that we are fit for the opportunities of the digital age. Businesses are the ones that will implement the framework; we are now in contact on a daily basis to ensure the preparation is done in the best possible way. We will continue our efforts, within the EU and on the global stage, to strengthen confidence in the online world. Trust is a must, it is what will drive our digital future."
The U.S. authorities provided commitments that the Privacy Shield will be strictly enforced and assured there is no indiscriminate or mass surveillance by national security authorities.
This will be guaranteed through:
- The new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. The new rules also include tightened conditions for onward transfers to other partners by the companies participating in the scheme.
- The U.S. government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data. U.S. Secretary of State John Kerry committed to establishing a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State, who will be independent from national security services. The Ombudsperson will follow-up complaints and enquiries by individuals and inform them whether the relevant laws have been complied with. These written commitments will be published in the U.S. federal register.
- Complaints have to be resolved by companies within 45 days. A free of charge Alternative Dispute Resolution solution will be available. EU citizens can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism ensuring an enforceable remedy. Moreover, companies can commit to comply with advice from European DPAs. This is obligatory for companies handling human resource data.
- The mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. The Commission will draw on all other sources of information available, including transparency reports by companies on the extent of government access requests. The Commission will also hold an annual privacy summit with interested NGOs and stakeholders to discuss broader developments in the area of U.S. privacy law and their impact on Europeans. On the basis of the annual review, the Commission will issue a public report to the European Parliament and the Council.
Now, a committee composed of representatives of the European Member States will be consulted and the EU Data Protection Authorities will give their opinion, before a final decision by the College. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.
Following the adoption of the Judicial Redress Act by the U.S. Congress, signed into law by President Obama on 24 February, the European Commission will propose the signature of the Umbrella Agreement. The decision concluding the agreement should be adopted by the Council after obtaining the consent of the European Parliament.