As a direct response to the Snowden revelations relating to the bulk collection of personal data by US intelligence the European Commission and the US Department of Commerce jointly developed a new framework purporting to considerably strengthen the protection of privacy rights of EU citizen data when such data is transferred to US data processors and controllers. The previous regime under the Safe Harbor was invalidated by the European Court of Justice in Schrems v. Data Protection Authority, which held that EU citizen’s privacy rights are at risk given the broad overreach by US public authorities.
Restoring certainly in trans-border data flows is of utmost priority for regulators on both sides of the Atlantic, given that the transatlantic economies of the EU and the US are inextricably linked built on a digital backbone supporting virtually every facet of commerce.
The new Privacy Shield considerably strengthens the privacy rights of EU citizens relating to the onward transfer of personal information. Key provisions of the Privacy Shield require adherence to the core privacy principles of notice, choice, security, integrity, access, enforcement and accountability for onward transfer.
Perhaps the most important aspect of the Privacy Shield is more rigorous access, monitoring, and enforcement mechanisms that were lacking in the Safe Harbor. According to the European Commission’s statement, “for the first time, the US has given the EU written assurance that the access of public authorities for law enforcement, and national security will be subject to clear limitations, safeguards, and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.” By virtue of these strengthened enforcement mechanisms, EU citizens will be able to:
Seek redress for alleged privacy rights against companies who are obliged to resolve such complaints within 45 days;
Perhaps one of the most sensitive matters that the EU-US Privacy Shield is designed to remedy is the overreach by the US government in its bulk data collection practices: “the U.S. government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalized access to personal data.” Finally, to empower EU citizens to seek judicial standing, President Obama signed into law the Judicial Redress Act, which provides EU citizens the same protections under the Privacy Act as are available to US citizens.
However, the fate of the Privacy Shield remains uncertain. The policy implications of the new US Administration are of concern to EU regulators. The Privacy Shield framework is pending review by the Article 29 Working Party (WP29). There are a number of submissions under consideration, including pending assurances from the new Administration as to their continued commitment to more robust protection of EU citizen privacy rights. This includes adherence to the provisions of the GDPR when it becomes enforceable in 2018.
In the meantime, US entities that are transferring EU citizens' personal information may do so by incorporating Binding Corporate Rules (BCR) or Model Corporate Clauses both of which require adherence to safeguarding EU privacy rights for onward transfer of EU citizen data.
The state of the cross border data flows remains unsettled, although encouraging signs point to ratification.