On 6 October 2015, the Court of Justice of the European Union (CJEU) issued a ruling which invalidated Decision 2000/520/EC of 26 July 2000 concerning the adequacy of the level of protection afforded by Safe Harbour (CJEU, 26 October 2015, C-362/14).
In order to provide a secure legal framework for the transfer of personal data to the U.S., the European Commission on 29 February 2016 presented a new framework for EU-to-U.S. data flows (Press release IP/16/433). The legal basis for these texts comprises:
- the renegotiation of the EU-U.S. Umbrella Agreement concerning data protection standards for law enforcement purposes. A draft Council decision was recently published about this issue on 29 April 2016. It concerns "the signing, on behalf of the European Union, of an Agreement [...] on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences" (COM(2016) 238 final). This proposal will be put to the vote of the national parliaments. In France, the National Assembly and the Senate have been discussing it since 3 May 2016;
- a renewed framework for commercial data exchange, the EU-US Privacy Shield, comprising:
- a body of rules which all companies must obey; and
- a number of written commitments by the U.S. Government, some of which are still to be published in the U.S. Federal Register. The Judicial Redress Act which grants EU citizens the right to enforce data protection rights in the U.S. courts, was the first stone laid, having been signed into law on 24 February 2016. The U.S. Government has also agreed to ban all mass surveillance; any data gathering by the U.S. information agencies must now be based on necessity and proportionality. The only exception is situations requiring a rapid response. A mediator will oversee these commitments.
The Commission has also released its draft decision on the adequacy of the level of protection afforded by this new system, which is ultimately due to replace the Decision of 26 July 2000. This will all be guaranteed through:
- strict supervision mechanisms to ensure that companies respect their obligations under the Privacy Shield, including sanctions or exclusion if they do not comply;
- tightened conditions for onward transfers to other partners by the companies participating in the scheme;
- the right for European citizens to file a complaint if any of the protection principles is not met; complaints have to be resolved by companies within 45 days;
- access to a free of charge alternative dispute resolution solution.
In addition, the Commission will continuously monitor the use of the data transferred to the U.S., as part of an annual joint review mechanism between it and the American Department of Commerce. The Commission will be allowed to draw on all available sources of information. The Commission will issue an annual report to the European Parliament and the Council. This may if necessary be used to repeal the Commission's decision acknowledging the adequacy of the level of protection for data flows to the U.S. or undertake renewed negotiations, without having to wait for any sanction by the courts.
The draft decision is due to be submitted to the WP29 for its opinion.