THE EUROPEAN UNION (EU) and the US have released the full details of their new transatlantic data transfer agreement.
The Privacy Shield agreement was originally decided upon at the beginning of February as a way of replacing the Safe Harbour agreement, but details had still yet to be decided.
Safe Harbour fell was deemed to be invalid after the EU Court of Justice (ECJ) said it was lacking in a number of areas regarding the US and mass surveillance.
The decision originated from Max Schrems’, a privacy rights campaigner from Austria, complaint with the Irish Data Protection Commissioner regarding Facebook’s handling of his personal data.
When it was brought to the ECJ, it said the agreement didn’t offer users enough privacy protections.
The result of that was Privacy Shield, which aims to ensure the personal data of EU citizens is given the same privacy protections in the US like it would in the EU.
According to the European Commission’s FAQ, American companies will register to be on the Privacy Shield list and certify themselves so they meet the requirements set out. The procedure has to be done each year.
The US Department of Commerce will have to monitor and verify that company’s privacy policies are presented in line with the agreement and are readily available. The US will be required to maintain a list of said members and ensure that those who aren’t members continue to follow the same rules as if they were signed up to it.
As part of the agreement, both the EU and US will be required to:
- Review the agreement annually, which will be carried out by the European Commission and the US Department of Commerce.
- Incorporate additional measures for EU citizens to solve grievances with companies concerning data use. Complaints have to be resolved by companies within 45 days and an Alternative Dispute Resolution solution will be available free of charge. Citizens can also go to their national data protection authority to resolve the problem, and if it’s not resolved, they can use an enforceable arbitration mechanism.
- Create an ombudsperson mechanism which will follow up on complaints and enquiries by individuals. They will work within the US Department of State, and will be independent from national security laws.
The EU released it as an ‘adequacy decision’ meaning a non-EU country ensures an adequate level of protection of personal data. It also called on the US to strengthen its domestic privacy protections so they match the same data protection standards in the EU.
However, Scherms has criticised the deal saying it already violates the rules made by the ECJ on Safe Harbour.
“Basically the US openly confirmed that it violates EU fundamental rights in at least six cases,” he said in a statement. “The Commission claims that there is no ‘mass surveillance’ anymore. It used to be the other way around. This charade is not only bluntly in conflict with the law and the Court judgement but also with the document the Commission presented”.
It begs the question what forces push the Commission in the background. This is obviously not driven by a rational implementation of the facts, the law and the judgement.
While the details of the agreement have been set, it still needs to be approved by European data regulators, and EU member states have to ratify the agreement. If they agree on the draft, then it will be made final.