On 2 February 2016, the EU Commission and the US entered into a new political agreement on data exchange between EU and the US. The new agreement, called EU-US Privacy Shield, replaces Safe Harbour, which was declared invalid last year by the Court of Justice of the European Union.
EU-US privacy Shield is a political agreement, and the final text of agreement is expected to be in place within the next few weeks. Hereafter, the so-called Article 29 Working Party, which consists of representatives of the Data Protection Agencies of the EU countries, will decide on whether the agreement guarantees a sufficient protection of the EU citizens’ personal data when exchanged with the US.
Safe Harbour declared invalid
In October 2015, the Court of Justice of the EU declared the former agreement Safe Harbour invalid, because it did not guarantee a sufficient protection of the EU citizens’ personal data. Therefore, the purpose of EU-US Privacy Shield is to find an agreement which comply with the European rules.
Keystones of EU-US Privacy Shield are:
- More stringent requirements for American companies’ and authorities’ attention to EU citizens’ personal data plus guarantee of individual rights.
- Security precautions and transparency on American authorities’ access to personal data, including a limitation to cases in which it is necessary and proportionate. In addition, there will not be conducted arbitrary mass surveillance of personal data transferred to the US.
- Efficient protection of EU citizens’ rights and easier complaint procedure for EU citizens. Any EU citizen will, among other things, have the opportunity to consult a Parliamentary Commissioner if the concerned has an inquiry or a complaint related to American authorities’ data processing.
Text of agreement is to be evaluated by Data Protection Agency
The Article 29 Working Party is looking forward to reviewing the final text of agreement to evaluate the legal contents, including whether the agreement redress the conditions making Safe Harbour invalid.
The party pinpoints four elementary guarantees which must be met, if the agreement shall guarantee a sufficient protection of EU citizens:
- Data processing shall take its background in clarified, precise and accessible rules.
- Necessity and proportionality shall be demonstrated – there must be a balance between the purpose of the data collection and the individual’s rights.
- An independent, effective, and impartial oversight mechanism should exist – either a judge or an independent body
- Individuals shall have access to effective remedies
Furthermore, the Article 29 Working Party will assess whether the use of transfer mechanisms such as Model Clauses and Binding Corporate Rules can still be used for personal data transfers without being inconsistent with the EU data protection rules.
iuno’s opinion
For now, the agreement is only political, and we await the final text of agreement. Therefore, it is still not certain whether the new agreement will solve the issues pointed out in Safe Harbour by the European Court of Justice.
Though, the framework is in place, and the political agreement between EU and the US contains a lot of interesting elements. Thus, it will be decisive whether the agreement turns out to be sufficiently specific. Only when the final text of agreement is ready, it will be possible to assess if the agreement ensures an effective protection of EU-citizens’ personal data when transferred to the US.
If the EU-US Privacy Shield agreement turns out not to be sufficiently specific, the agreement might be challenged by EU-citizens and the individual countries’ data protection agencies. Thus, it is far from sure that the agreement will be a new safe harbour for data transfer to the US.