At last agreement has been reached on the EU – US Privacy Shield agreement which now replaces the Safe Harbor agreement. Safe Harbor was ruled invalid in 2015 by the EU Court of Justice, because they said there were not sufficient safeguards for personal data under the voluntary scheme.
The new agreement is intended to protect the privacy of EU citizens when their personal information is processed in the US.
Companies will be able to sign up to the EU – US Privacy Shield from August 1st once they have implemented any necessary changes to comply with the strict compliance obligations.
The EU – US Privacy Shield is based on a system of self-certification by which US organisations commit to a set of privacy principles entitled the EU – US Privacy Shield Framework Principles.
The new framework was unveiled in February and has been under review since then. Back in June the European Data Protection Supervisor, Giovanni Buttarelli advised that it ‘needed significant improvements’ because it was not ‘robust enough’ and that the Commission should negotiate improvements to the Privacy Shield in three main areas:
- limiting exemptions to its provisions;
- improving its redress and oversight mechanisms,
- integrating all the main EU data protection principles.
For the Privacy Shield to be an effective improvement on Safe Harbour it must provide adequate protection against indiscriminate surveillance as well as obligations on transparency, and data protection rights for people in the EU.
In Brussels on July 12th Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “The EU – US Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints”
In summary the EU-US Privacy Shield is based on the following principles:
- Strong obligations on Companies handling data and robust enforcement
- Clear safeguards and transparency obligations on US government access
- Effective protection of individual rights
- Annual joint review mechanism
- Easier and cheaper redress possibilities in case of complaints —directly or with the help of the local Data Protection Authority
The Privacy Shield agreement applies to both data controllers and processors (agents), and specifies that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles.
Whilst the UK remains a member of the EU (which it will be for least the next 2 years) UK based companies that process data in the US will be able to use the Privacy Shield where appropriate.
Michelle Evans, Data Compliance Director
14th July 2016