What is it?

Last week (February 2nd), the European Commission and the United States agreed on a new framework for transatlantic data flows. This agreement replaces the old Safe Harbour framework, which was declared invalid on October 6 2015.

The new agreement sets out stronger obligations on companies in the U.S. to protect the personal data of Europeans, as well as stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC). These US agencies will also be required to increase cooperation with European Data Protection Authorities.

EU data protection laws dictate that EU citizen’s personal information cannot be shared with countries deemed to have less than stringent privacy regulations, such as the US, but Safe Harbour allowed some data to circumvent these restrictions to be transmitted across the Atlantic.

More than 4,000 companies, including tech giants Amazon, Facebook and Google, were reliant on the previous legislation, which had been in place for 15 years. But concerns about US state surveillance prompted a renegotiation of the agreement before its invalidation.

What do I need to know?

1. The Safe Harbor scheme will be replaced by a scheme called “EU – US Privacy Shield” which will be administered by the US Department of Commerce. European and United States representatives will confirm the process and timing for the transition from the Safe Harbor to the EU – US Privacy Shield scheme in due course.

2. By joining the EU – US Privacy Shield scheme, an organisation will be able to import personal data from Europe to the US, provided that organisation publicly comments how and why it will process personal data in the US, and agrees to comply with enhanced requirements about the manner in which personal data will be processed by it. Existing restrictions concerning onward transmission of personal data from the US to other countries will be tightened.

3. Each organisation that certifies that it complies with the EU – US Privacy Shield scheme will have its compliance with the scheme monitored and reviewed by the US Department of Commerce. If an organisation is found to have not complied with its commitments, sanctions will be applied against that organisation by the US Federal Trade Commission and it may be removed from the EU – US Privacy Shield scheme certified list.

4. If an individual has a complaint with respect to the way in which his or her personal data has been processed by an organisation that has certified to the EU – US Privacy Shield scheme, the complaint must be considered free of charge by the organisation in question within a limited timeframe in the first instance. If that complaint is not resolved, the individual concerned may refer the complaint free of charge to his or her European data protection authority, which may decide to refer the complaint to the US Department of Commerce and Federal Trade Commission for their consideration. The US Department of Commerce and Federal Trade Commission will be required to investigate and resolve the complaint within a reasonable but limited timeframe. If the complaint is not resolved to the individual’s satisfaction, the complaint can be referred to arbitration for final resolution.

5. The US Director of National Intelligence will provide a binding, written assurance to the European Union that access to personal data about European citizens for national security and law enforcement purposes will only occur to the extent it is necessary and proportionate, that it will be subject to clear limitations, safeguards and oversight mechanisms and that no indiscriminate or mass surveillance on personal data transferred to the US under the new scheme will occur.

6. The Judicial Redress Act must be passed by US Congress so that European citizens have the same rights of redress as US citizens with respect to unlawful access of their personal data by US public bodies. Any complaints about access to personal data by US national intelligence authorities that have been referred to the US by European data protection authorities will be heard by an ombudsman to be appointed in due course. The ombudsman will operate independently of the US national security authorities.

7. There will be a joint annual review of and report into the functioning and compliance with these arrangements by the European Commission and US Department of Commerce.

8. The European Commission anticipates that it will take three months for European and United States authorities to finalise and put in place the arrangements that have been agreed, meaning that the EU – US Privacy Shield scheme should be implemented in May 2016.

This summary was provided by Law firm Mayer Brown, but for further information you can contact Telehouse via your account manager or via [email protected].