EU–US transfer agreement adopted
26 July 2016
Regulatory News Alert
On 12 July 2016, the European Commission adopted the EU-US Privacy Shield framework with an adequacy decision. By notifying the Member States, the new framework for EU - US personal data transfers enters into force immediately. The adoption of the Privacy Shield signals a return to normality for transatlantic data transfers, after the previous Safe Harbor framework got invalidated by the European Court of Justice on October 2015.
As of 1 August 2016, companies will be able to self-certify with the US Department of Commerce operating the Privacy Shield.
Obligations on companies handling data
- Companies will be able to self-certify with the US Department of Commerce by committing to meet the Privacy Shield requirements.
- Requirements entail, amongst others, that companies must provide effective redress mechanisms to deal with data subject complaints, that employees should receive training about their obligations under internal privacy policies, or that data can be kept only as long as it serves the purpose for which the data was collected.
- Conditions for onward transfers of data to third parties are tightened to guarantee the same level of protection in case of a transfer from a self-certified company.
- Participating organizations will have to re-certify every year and ensure that any onward transfers of personal data are covered by a contract with the receiving third party that provides the same level of protection.
- The Privacy Shield provides for oversight mechanisms to ensure that self-certified companies abide by the rules.
- The US Department of Commerce will conduct regular updates and reviews of the compliance of participating companies.
- Companies found to be non-compliant may face sanctions and be excluded from the list of certified companies.
- The functioning of the Privacy Shield itself will be jointly review by the Commission and the U.S. Department of Commerce, including the issue of national access.
Protection of data subject rights
- In case of misuse of the data under the Privacy Shield arrangement, citizens will have several ways to issue complaints about the use of their personal data by Privacy Shield organizations. In a first instance, complaints should be handled by the company itself. Free of charge Alternative Dispute Resolutions (ADR) will be offered if the company does not deal with it. In addition, data subjects can direct their concerns to national Data Protection Authorities, which will liaise directly with the Federal Trade Commission to ensure that issues are investigated and resolved. As a last resort, there will be an arbitration mechanism.
- Redress in the area of national security will be handled by an Ombudsperson independent from the US intelligence services.
Safeguards related to US government access
- The US has committed in written that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
- The US has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-US Privacy Shield arrangement.