Privacy Shield, the new Safe Harbor

On 29 February 2016, the Commission released the legal texts, including the draft adequacy decision, that will put into practice the new EU-US framework for transatlantic data flows, called the Privacy Shield. The publication follows the conclusion of the EU-US negotiations on the agreement which was announced by Commissioners Ansip and Jourova on 2 February 2016.

The Privacy Shield is designed to provide legal certainty for business and to protect the fundamental rights of EU citizens. In particular it will impose:

• stronger obligations on US companies to protect EU citizens data;
• stronger obligations for the monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (FTC), as well as cooperation with the European data protection authorities (DPAs);
• clear conditions, limitations and oversight concerning the access to the transferred personal data by US public authorities for national security purposes (the US Office of the Director of National Intelligence has provided written guarantees to that effect);
• several possibilities for redress for EU citizens including:

• a complaint system to the European DPAs, which can refer the matter to the US FTC;
• a dedicated ombudsperson in the field of national security, within the US Department of State, independent from national intelligence services;
• an obligation that complaints must be dealt with by companies within 45 days;
• a free of charge alternative dispute resolution system;
• an arbitration mechanism (a last resort mechanism to make sure that the complaints are resolved);
• commitment to an annual review of adequacy decision. The review will be conducted by the Commission and the US Department of Commerce with involvement of national intelligence experts from the US and European DPAs. The review will also be able to draw on other resources such as transparency reports of companies. The Commission will have to report to the European Parliament on the results of each review.

The legal texts, as well as the agreement itself, have attracted criticism from some NGOs and politicians. Max Schrems pointed out that although the Privacy Shield has some minor improvements, it does not address the core flaws of the US legal system that allows bulk surveillance. The current written guarantees from the US refer to six situations in which bulk surveillance would be allowed. This may raise questions among the DPAs and the Article 29 Working Party, as the CJEU judgment clearly stated that any form of bulk surveillance is a violation of fundamental rights.

On her Twitter account, Sophie in’t Veld MEP (Netherlands, ALDE) questioned the legal status of written guarantees given by the US, whilst Jan Philipp Albrecht MEP (Germany, Greens EFA), home affairs and data protection spokesperson and former rapporteur on data protection regulation, stated that “The new 'Privacy Shield' framework appears to amount to little more than a remarketed version of the pre-existing Safe Harbour decision, offering little more than cosmetic changes.”

The European DPAs and the European Ombudsman also expressed doubts about the position of the ombudsman being taken up by a senior US Government official, rather than being given to an independent body.

The agreement will now be consulted within a committee composed of representatives of the member states. In addition, the Article 29 Working Party will give its opinion and in particular its assessment of the agreement against the criteria set out by the case law of the CJEU. Most recently, the judgment in the Schrems case invalidated the previous EU-US data transfer scheme, Safe Harbor, and set out clear conditions that must be satisfied by any transfer scheme of personal data to third countries. The agreement will also have to be approved by the College of Commissioners.

On its part, the US will make the necessary arrangements to put in place the new framework, its monitoring mechanisms and the new ombudsperson.