EU-U.S. Privacy Shield Formally Adopted by European Commission

 Privacy_Shield_Datenschutz-595x440

Written By ESR News Blog Editor Thomas Ahearn

The European Commission has formally adopted the new EU-U.S. Privacy Shield framework to create stronger protection for transatlantic data flows between the European Union (EU) and the United States (U.S.), protect the fundamental rights of people in the EU with personal data being transferred to the U.S., and bring legal clarity for businesses relying on transatlantic data transfers, according to a press release from the European Commission.

“The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” Věra Jourová, Commissioner for Justice, Consumers, and Gender Equality stated in the press release. “It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic.”

The EU-U.S. Privacy Shield – which replaces the old Safe Harbor framework invalided by a European Court of Justice (ECJ) ruling in October of 2015 – is based on the following principles:

  • Strong obligations on companies handling data: Under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access: The U.S. has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement. The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State.
  • Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.
  • Annual joint review mechanism: The mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. The Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.

As for the next steps in the U.S., the Privacy Shield framework will be published in the Federal Register and the U.S. Department of Commerce will start operating the Privacy Shield. After reviewing the EU-U.S. Privacy Shield Framework Fact Sheet and updating their compliance practices, U.S. companies will be able to certify for Privacy Shield with the Commerce Department starting August 1, 2016. More information about the EU-U.S. Privacy Shield is available on Department of Commerce website at www.commerce.gov/privacyshield.

As reported earlier by ESR News, the 15-year-old international agreement called “Safe Harbor” that allowed companies to transfer the digital data of individuals between the EU and U.S. was invalidated by a court ruling on October 6, 2015. The decision to invalidate Safe Harbor stemmed from the case of Maximillian Schrems v. Data Protection Commissioner where an Austrian citizen lodged a privacy complaint about his data being transferred to servers in the U.S. for processing claiming that the U.S. did not offer sufficient protection against government surveillance due to revelations made by defector Edward Snowden.

Employment Screening Resources® (ESR) – a global provider of fast, accurate, affordable, and compliant background checks – is accredited by the National Association of Professional Background Screeners (NAPBS®) and completes an annual SOC 2® Type 2 Data Audit that confirms ESR meets high standards for protecting the security, confidentiality, and privacy of consumer information used for background checks. For more information about ESR, please call toll free 888.999.4474 or visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2016 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.