On the 29th of February the European Commission released the legal texts which will comprise the EU-US Privacy Shield and a draft adequacy decision.
The agreement zeros in on the use of EU data by both private companies and the US Government alike. The US Government has promised that EU data will not be subject to indiscriminate mass surveillance, a prime concern of many in light of the Snowden leaks. Instead access to personal data will be subject to ‘clear limitations, safeguards and oversight mechanisms’ and will only be accessed to the extent that is ‘necessary to meet national security, public interest or law enforcement requirements.’ Private companies will be made to publish a commitment about how personal data will be handled, subject to the ‘notice principle,’ and companies which process human resources data must comply with EU Data Protection Authorities (DPAs).
The Shield gives individuals access to rigorous dispute management mechanisms, allowing them to hold companies accountable to the commitments they make public. Under the agreement companies must reply to complaints within a specified period of time and if necessary alternative dispute resolution will be provided for no cost. An ombudsperson has also been created to manage complaints.
While individuals are given these avenues of redress, cooperation between EU DPAs and US Government Departments has also been emphasised. Notably there will be joint annual reviews of the agreement and its success from 2017.
In order for the Shield to be implemented it must be found to provide an ‘adequate level of protection’. This means that it must require the ‘third country to ensure a level of protection of fundamental rights and freedoms ‘essentially equivalent’ to that guaranteed within the Union by virtue of Directive 95/46/EC read in light of the Charter of Fundamental Rights.’
The Commission approve of the level of protection which has been guaranteed by the US Government. The outcome of these negotiations is essentially that there is a reasonableness requirement placed on the use of data and six specific national security purposes for which data can be used in accordance with the agreement. The inherent difficulty with these safeguards is interpretation and secrecy. How can the EU be sure that the US Government will not just flout the agreement under the guise of one of these national security purposes? Or that different understandings of ‘reasonableness’ or what is necessary will not diminish the effectiveness of such requirements?
The Commission further found the protection afforded by the self-certification system and the oversight and recourse mechanisms to also be adequate, as they ensure accountability.
To be formally implemented the draft must still be reviewed by the DPAs and approved by the College of Commissioners, yet it does appear as though it will become a formal legal mechanism. We will be very interested to see how the agreement functions in practice.
Is the Shield relevant to your business? Contact us to get advice from experienced privacy lawyers.