Christoph Steck /@christophsteck
Director of Public Policy and Internet at Telefónica
After much debate in the last months since this week, Europe and the USA agreed on a new framework for transatlantic data flows after the European Court of Justice (ECJ) declared the previous Safe Harbour agreement invalid: the EU-US Privacy Shield. A long-awaited agreement for protecting the fundamental rights of Europeans and ensuring legal certainty for businesses.
At this point, it worth summarizing the new issues introduced by the EU-US Privacy Shield:
- First of all, the US State Department will create a special Ombudsperson that will be tasked with following up complaints and enquiries by individuals on national security access on referral from EU Data Protection Authorities.
- Also, every US companies wanting to transfer personal data from the EU to US will be subjected to new obligations enforceable under US law. From now on, they must comply with robust rules on how personal data is processed and how individual rights are guaranteed.
- Another major change has to do with the access to personal data of US public authorities for law enforcement and national security. For the first time, it will be subject to clear limitations, safeguards and oversight mechanisms.
- Additionally, EU citizens are empowered. Besides the creation of an Ombudsperson in complaints related to national security, on the commercial side there will be several redress possibilities for EU citizens that consider their personal data has been misused. An administrative process is provided in these cases so that the European Data Protection Authorities can refer complaints to the Department of Commerce and the Federal Trade Commission. EU citizens will also have a free of charge alternative dispute resolution mechanism.
The EU-US Privacy Shield has been celebrated at both sides of the Atlantic. It is in a certain way an historic agreement for privacy and for businesses. And it also underscores the strength of the U.S.-EU relationship. The U.S. Secretary of Commerce Penny Pritzker even said that this achievement “provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online.”
For his parts, the European Commission Vice-President Ansip and the Commissioner Jourová welcomed this milestone of the Data flow economy and the digital rights of the citizens. Vice-President Ansip said ”today’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US. We will work now to put it in place as soon as possible.” And the Commissioner Jourová highlighted, besides the news mention above, that “in the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans”.
From now on a review monitoring will be set up for the implementation of the arrangement. The European Commission (EC) and the US Department of Commerce will conduct this annual joint review, which will also include the issue of national security access.
The Europeans will agree on a draft of “adequacy decision” in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 WG and after consulting a committee composed of representatives of the Member States (Art. 31 WG). And from the US side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsman.
Despite all mentioned above the agreement is far from a done deal. There are grey areas that overshadow the successful agreement. The Art. 29 Working Group was not included in the negotiations. Now it is very vocal in order to evaluate the new framework and assess whether it can answer the wider concerns raised by the ECJ´s Schrems judgment as regards international transfers of personal data
Some relevant actors have already highlighted the fact that the criteria put forward by the ECJ Ruling was ignored.
In the end, we should understand the EU-US Privacy Shield agreement as a pragmatic compromise meant to preserve the legal formality and data protection without upsetting national security. If the new framework is challenged again, the ECJ may not want to upset this delicate balance and assess the new agreement generously. That would solve the practical problem. But the disparity between European and US conceptions of privacy will remain
Against this background, we are sure that the new Safe Harbour has already so many supporters as detractors, but probably its main merit is that it exists and gives confidence to businesses. Vice President Ansip has even insisted in the need to have a bullet-proof new Safe Harbour, as the European Commission counts that the new framework will be challenged again in Court.
In the long term, what companies need is sustainable alternative solutions in light of today’s globalized economy and society, where international transfers of data are not an exception, but the general rule. Companies and citizens need streamlined procedures allowing transfers of data while ensuring adequate levels of protection.
One is obvious: The new agreement will not “shield” us from having more future debates about how to protect consumer´s data in a globalized economy.
