By Jan Willem Knibbe
A little bomb went off when the European Court of Justice tore down the Safe Harbor agreement between the European Union and United States. This judgment put the already ongoing negotiations between the US Department of Commerce and the European Commission in a pressure cooker. The European regulators applied some extra pressure to the negotiations by threatening with coordinated enforcement actions if there wasn’t a new deal by the end of January.
This seemed to have worked as on 2 February Commissioner Jourová gave a press conference announcing that a political deal was reached with the US on a new agreement: the EU-US Privacy Shield. The Article 29 Working Party (A29WP) welcomed the fact that a political agreement was reached. The A29WP brings together representatives from the data protection authorities in the EU.
A final text is expected in the coming month that will provide a mechanism for legal transfers of personal data between the EU and US. Even though there isn’t a formal text yet, from what the European Commission and Department of Commerce have provided so far, several key issues can already be deduced.
Key elements of the agreemeent
Even though there is not yet a final agreement, the broad outline has been made clear and will include the following points:
- US companies wishing to import personal data from Europe will need to commit to obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- The US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and will invite national intelligence experts from the US and European Data Protection Authorities.
- Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
Role of the A29WP
The Commission is obliged to ask the opinion of the Article 29 Working Party on the new agreement. The A29WP will also analyse to what extent this new arrangement will provide legal certainty for the other transfer tools. Its assessment will thus not just be limited to the new Privacy Shield but also include whether BCRs and SCCs are still valid for data transfers. In the meantime, the grace period will be extended until the details of the agreement are clear – while the A29WP considers the new agreement, these mechanisms can still be used to transfer personal data to the US.
So what’s next?
An indicative roadmap has been provided setting out the next steps in developing the Privacy Shield.
- End of February: Vice-President Ansip and Commissioner Jourová to prepare a draft adequacy decision.
- March/April 2016: Article 29 Working Party and Member States will advise on the adequacy decision.
- April 2016: Commission will adopt adequacy decision.
- February – April 2016: The US will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.
Will the Privacy Shield be sufficient to meet the obligations set out by the European Court of Justice? Only time will tell. It will certainly be tested in court, as civil rights activists have already been mentioning as soon as the agreement was announced.
Notwithstanding these threads, the Privacy Shield certainly is a big step forward in providing legal certainty for companies who are transferring personal data from the EU to the US. Given what is at stake, there is a great will on both sides of the ocean to make the EU-US Privacy Shield a success.
ESOMAR, in partnership with CASRO, EFAMRO and MRA, will keep a close eye on the developments, and once there is more clarity on final text it will organize a webinar to provide more in-depth information. This will be announced via the usual channels, so keep an eye out for this announcement! In the meantime, should you have any specific questions please feel free to contact us at email@example.com
Jan Willen Knibbe is Policy and Public Affairs Assistant at ESOMAR. Follow ESOMAR Government Affairs on @esoGOV.