The EU and US have reached a deal to replace regulations covering how data from European Union countries is processed by US organisations.
The transatlantic data sharing and transfer agreement was thrashed out between the US and the European Commission following the previous Safe Harbour arrangements being invalidated by the European Court of Justice (ECJ) late last year.
The new EU-US Privacy Shield has been concocted to specify clear safeguards and transparency obligations, backed by written assurances on how personal data on European citizens is processed by US organisations.
“The new arrangement includes commitments by the US that possibilities under US law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access,” said a European Commission statement. “Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new ombudsperson.”
Other requirements of the proposals include US companies having to comply with additional obligations if they wish to import personal data from the EU. The data processing obligations will be administered by the US Department of Commerce.
“The department will monitor that companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission (FTC),” the commission said. “In addition, any company handling human resources data from Europe has to commit to comply with decisions by European Data Protection Authorities (DPAs).”
Written assurances have also been given by the US that law enforcement and national security organisations will be subject to “clear limitations, safeguards and oversight mechanisms, with any exceptions to these controls being necessary and proportionate.”
“For the first time ever, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” said Europe’s justice commissioner Věra Jourová.
“Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”
Andrus Ansip, vice president for the digital single market on the European Commission, will now prepare to draft an “adequacy decision” covering the new rules for member states to ratify.
“Our people can be sure that their personal data is fully protected. Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic,” said Ansip.
“We have a duty to check and we will closely monitor the new arrangement to make sure it keeps delivering. Today’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US. We will work now to put it in place as soon as possible.”
Former Gartner vice president, French Caldwell, who has experience working with the US White House on issues relating to national and cyber security said that national security surveillance is something that all governments with the technical means to do so engage in.
“With or without Safe Harbour or its successor, those surveillance programmes will continue,” he said.
“The legal definitions of personal data are so antiquated that, even if that data covered under privacy law are protected – that is addresses, driver’s licence, tax identification, phone numbers, etc – there is still so much data around people’s movements and online activities that an entire behavioural profile can be built without accessing the PPI that is considered legally protected.”
He added that privacy protections in the US have evolved significantly over the years and, in fact, US laws on data breach protection have begun to be replicated in the EU.
“Also, US authorities, in particular the FTC, are aggressive in penalising companies for not following privacy policies – much more aggressive than EU national privacy authorities,” said Caldwell.