On 29 February 2016, the EU Commission published a collection of documents on the EU-U.S. Privacy Shield that are to regulate the framework conditions of data transfer to the U.S.A. in the future. The published documents specify the agreement on the content of the key points of the treaty reached between the EU and the U.S.A. about a month ago. In addition, the EU Commission adopted a draft adequacy decision in which it is found that the new provisions meet the data protection standard of the EU.
The central points of the new agreement are the following:
- As has been possible so far also under Safe Harbor, U.S. companies can commit themselves to comply with the Privacy Shield. The U.S. Department of Commerce will monitor whether these commitments are made publicly accessible. The U.S. Federal Trade Commission will legally monitor the performance of the obligations. Unlike under Safe Harbor, the certification must be renewed annually.
- U.S. companies that process employee data from the EU must submit to the standards set by the European supervisory authorities.
- The companies must provide points of contact that the affected persons can turn to in the case of complaints.
- The U.S. authorities assured the EU that access to information by public authorities, which also include intelligence agencies, will be subject to clear limitations, safeguards, and supervisory mechanisms. Mass surveillance will still be allowed in only six case groups – which, however, are very broad.
- The EU Commission and the U.S. Department of Commerce will review annually whether the treaty functions in practice and whether the personality rights of EU citizens are effectively protected. The data protection authorities will also be involved in this review.
- There will be an ombudsperson to register complaints of EU citizens about possible access of US intelligence agencies to their data. This position is to be held by Under Secretary of State Catherine A. Novelli who is a member of the State Department.
- Companies must respond to complaints about possible data misuse within 45 days. If a company fails to do so, it may be excluded from certification in the worst case.
- A free of charge alternative dispute resolution solution will be available. The affected EU citizens can also go to their national data protection authorities that will work with the Federal Trade Commission to ensure that complaints are investigated and resolved. If the case cannot be resolved by any of the other means, as a last resort there will be an arbitration procedure with an enforceable award.
While preparations to implement the new set of regulations are also made in Washington, the statements of the member states and of the Article 29 Data Protection Working Party are still expected in the EU. They have announced their appraisals for 12/13 April 2016. If the responsible persons were to draw a positive conclusion concerning the EU-U.S. Privacy Shield, the EU Commission could declare the treaty valid.
Until the treaty has been finally assessed and has entered into force, however, only the already known instruments of the EU standard contractual clauses and/or the Binding Corporate Rules are available to the companies for the time being.
The documents published now have not been able to eliminate the legal uncertainty. In particular, the possibilities of U.S. authorities to access the still far-reaching data must be critically evaluated. Apart from that, the commitments are based only on a directive of the current president Obama that can be changed by a new U.S. administration at any time.
In view of the numerous announcements, it is very likely that the ECJ will also have to deal with the Privacy Shield. Max Schrems, whose procedure brought about the downfall of the Safe Harbor treaty has already announced a corresponding initiative.
In view of these uncertainties, companies are still advised to continue to also rely on EU standard contractual clauses or Binding Corporate Rules in addition to a possible certification.