Safe Harbor is dead! Meet the new Privacy Shield! On Feb. 2, 2016, representatives of the European Commission and the United States agreed on a new framework for transatlantic data flow: the EU-US Privacy Shield, a new framework intended to replace the EU-US Safe Harbor that was invalidated as a result of a decision of the EU Court of Justice. The details of the new Privacy Shield arrangement still needs to be drafted. Then, it will be submitted to the approval of the representatives of the individual EU states and the EU Parliament. The provisions agreed upon include:
US companies that wish to receive EU data will be required to commit to stringent obligations on how personal data is processed and individual rights are guaranteed;
Citizens who think that their data has been misused will have several redress possibilities;
Companies will be required to respond to citizens’ complaints within a set timeframe;
The US Department of Commerce and the Federal Trade Commission have agreed to supervise US companies who process EU data;
European Data Protection Authorities will have the ability to refer complaints to the US Department of Commerce and the Federal Trade Commission;
Alternative dispute resolution will be free of charge;
Access by US law enforcement to personal data transferred under the EU-US Privacy Shield will be subject to clear conditions, limitations, and oversight mechanisms, preventing generalized access;
Complaints on possible access by national intelligence authorities will be referred to an Ombudsperson;
The implementation of the arrangement – including the restriction on law enforcement’s access to data – will be subject to annual joint reviews. The European Commission and the US Department of Commerce will conduct the reviews and invite US national intelligence experts and European Data Protection Authorities to participate.
The College of EU Commissioners, which approved the final terms of the arrangement, has mandated Vice President Ansip and Commissioner Jourová to prepare a draft “adequacy decision” in the coming weeks clarifying the elements of the EU-US Privacy Shield.
Once the document has been finalized, it will be submitted for approval by the College of Commissioners. The Article 29 Working Party and a committee composed of representatives of the Member States will also be consulted. In the meantime, the US will make the necessary preparations to put in place the new framework, monitoring mechanisms, and the new Ombudsman.