Juil 27

The adoption of the EU-US Privacy Shield on July, 12, 2016, as the Safe Harbor’s successor

« We have approved the new EU-U.S. Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions ». Andrus Ansip, Commission Vice-President for the Digital Single Market.

The European Commission finally adopted the EU-U.S. Privacy Shield, an agreement regulating transatlantic transfer of personal data for commercial purposes. It is meant to replace the Safe Harbor agreement which was invalidated by the European Court of Justice on October, 6, 2015. The invalidation of the Safe Harbor followed 2013 Edward Snowden’s revelations about the US mass surveillance.

Meant to give a better protection to EU citizens whose personal data is transferred to the US, it also brings some clarity concerning those transatlantic data transfers.

The new principles that must be followed are:

  • Companies dealing with personal data should have strong obligations which are regularly updated and reviewed by the US Department of Commerce. Companies that do not follow these rules will face sanctions and removal from the list.
  • The US government gave its written assurance that it will provide clear safeguards and transparency obligations on its access to personal data flowing from EU concerning law enforcement and national security. The bulk collection of personal data will be allowed only under specific preconditions.
  • Individual rights are effectively protected as some affordable and simplified dispute resolution mechanisms are available to those citizens who wish to contest the use of their data under the Privacy Shield.

The procedure goes as follow: either the company itself resolves the issue, either an alternative dispute resolution (ADR) solution is offered to the citizen. National Data Protection Authorities are also competent to deal with complaint about the misuse of personal data. As a last resort, an arbitration mechanism is settled.

  • An ombudsman from the US intelligence services will handle all redress possibility related to national security.
  • The US and the EU will set up an annual joint review mechanism with regards to the access to personal data by national authorities. The European commission will then issue a public report to the European Parliament and the Council.

However, some European countries were reluctant to adopt this new data transfer agreement with the US as 4 of them (Austria, Bulgaria, Croatia, Slovenia) refrained from the vote.

Katia Beider & @ATURQUOISE

This post is also available in: Anglais