The European Commission – the executive body of the European Union – issued the legal texts that will put in place the EU-US Privacy Shield, a new framework for protecting the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.
The new framework reflects the requirements set by the European Court of Justice in its ruling from 6 October 2015.
The US authorities provided strong commitments that the Privacy Shield will be strictly enforced and assured there is no indiscriminate or mass surveillance by national security authorities.
This will be guaranteed through strong obligations on companies and robust enforcement, clear safeguards and transparency obligations on US government access, effective protection of EU citizens’ rights with several redress possibilities, and an annual joint review mechanism.
American companies will register to be on the Privacy Shield List and self-certify that they meet the requirements set out. This procedure has to be done each year.
The US Department of Commerce will have to monitor and actively verify that companies’ privacy policies are presented in line with the relevant Privacy Shield principles and are readily available.
The US has committed to maintaining an updated list of current Privacy Shield members and removing those companies that have left the arrangement. The Department of Commerce will ensure that companies that are no longer members of Privacy Shield must still continue to apply its principles to personal data received when they were in the Privacy Shield, for as long as they continue to retain them.
European individuals will gain more transparency about transfers of personal data to the US and stronger protection of personal data, and easier and cheaper redress possibilities in case of complaints — directly or with the help of their local Data Protection Authority.
More in-depth details about the framework and its concrete functioning can be found in this FAQ section.
“Now we start turning the EU-US Privacy Shield into reality,” says Andrus Ansip, VP for the Digital Single Market on the European Commission. “Both sides of the Atlantic work to ensure that the personal data of citizens will be fully protected and that we are fit for the opportunities of the digital age. Businesses are the ones that will implement the framework; we are now in contact on a daily basis to ensure the preparation is done in the best possible way.”
But not everybody is satisfied with this arrangement.