Data Framework: EU-U.S. Privacy Shield

Wednesday, February 3, 2016 @ 03:02 PM gHale

The European Commission (EC) and the United States agreed on a new framework for transatlantic data flows called the EU-U.S. Privacy Shield.

The College of Commissioners approved the agreement and mandated Vice President of the Digital Single Market on the European Commission, Andrus Ansip and European Union’s Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, to prepare the necessary steps to put the new arrangement in place.

DHS Pact for DDoS Protection
NIST Seeks to Update Security Framework
DHS Awards Cyber Physical System Contracts
NIST Working on Data Security Guide

The new framework will protect the fundamental rights of Europeans when their data transfers to the United States and ensure legal certainty for businesses.

The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and FTC, including increased cooperation with European Data Protection Authorities.

The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access.

The new arrangement will include:

• Strong obligations on companies handling Europeans’ personal data and robust enforcement.

U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data ends up processed and individual rights guaranteed.

The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the U.S. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.

• Clear safeguards and transparency obligations on U.S. government access.

For the first time, the U.S. has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must end up used only to the extent necessary and proportionate.

The U.S. ruled out indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.

• Effective protection of EU citizens’ rights with several redress possibilities.

Any citizen who considers that their data ended up misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson position will end up created.