THE EU AND US have decided on a new framework concerning how US tech companies can receive and handle the data of EU citizens.
The EU-US Privacy Shield was formed after the 1 February deadline to replace Safe Harbour, the previous agreement between the two entities, was missed.
The EU Commission say the framework will “protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses”.
A draft “adequacy decision” – which determines what is an adequate level of protection for users’ personal data – will be decided upon in the coming weeks.
At the same time, the US will have to prepare for the deal by putting the new framework, monitoring mechanisms in place as well as appointing a new Ombudsperson.
Under the new arrangement, the EU says there will be three main elements involved.
- US companies will need to commit to specific obligations as to how personal data is processed and individual rights are guaranteed. Said companies will be required to publish their commitments which will be enforced under US law by the US Federal Trade Commission. Any companies handling human resources data from Europe have to comply with European data protection laws.
- Clear limitations and safeguards with regards to public authorities for law enforcement and national security accessing such data. A joint annual review will be carried out by the European Commission and the US Department of Commerce. The US has ruled out indiscriminate mass surveillance on personal data transferred to from the EU to it.
- Companies will now have a deadline to reply to citizens’ complaints or anyone who feels their personal data has been misused. Europeans will be able to raise an enquiry or complaint with a new Ombudsperson
While the deal itself has yet to be drafted, privacy groups have greeted the announcement with skepticism, saying that assurances only go so far since the final agreement has yet to be worded.
Commenting on the arrangement, Austrian privacy rights campaigner Max Schrems said it was “too early for a final assessment”, but mentioned that “it seems the EU tried to get as much as possible”. However, he had concerns over what the deal meant for individuals.
“I am, however, not sure if this system will stand the test before the Court of Justice,” he said in a statement. “There will clearly be people that will challenge this – depending on the final text I may well be one of them”.
The executive director of European Digital Rights, Joe McNamee called it a “new badly flawed arrangement” and said it meant “the new arrangement will rely on additional legal instruments, which are also likely to fail to achieve their intended goals”.
Moving on from Safe Harbour
The new arrangement was required after safe harbour, the previous data transfer agreement between the EU and the US, was deemed invalid by the European Court of Justice (ECJ).
Safe Harbour was the agreement used to protect EU citizens’ data since more US companies like Facebook, Google, LinkedIn and others manage their data. Under EU law, it was forbidden to move said data outside the EU unless it went to a location deemed to have privacy protection in line with EU regulations.
It was declared invalid by the ECJ after a case by Schrems, concerning how Facebook handled person data, was referred to the ECJ by the Irish High Court.