With the expiry of the Safe Harbour Agreement 2000 coming to end on 31st January 2016, businesses globally can now breathe a sigh of relief as a new set of guidelines on international data transfers obligations has been agreed, called the ‘EU-US Privacy Shield’.
This followed last October’s ruling by the European Court of Justice that Safe Harbor, the 15-year-old pact between the EU and the US, was invalid.
Under the EU Data Protection Directive (95/46/EC), EU Member States may only transfer personal data to a third country for processing if that country “ensures an adequate level of protection”. The European Court of Justice found that Safe Harbor did not ensure such a level of protection.
The last few months have been confusing for data controllers and processors. Now, however, shortly after the expiration of the 31 January deadline set by the Article 29 Working Party – the body responsible for data protection in the EU – the European Commission has announced that the EU-US Safe Harbor agreement will be superseded by something called the ‘EU-US Privacy Shield’.
EU-US Privacy Shield
- Strong obligations on companies handling Europeans’ personal data and robust enforcement:
US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations on U.S. government access:
For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European Data Protection Authorities to it.
- Effective protection of EU citizens’ rights with several redress possibilities:
Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created. It’s also not yet known when the new framework will be put in place. (Knowing EU bureaucracy, it’ll be a while yet.)
And just a reminder about our side of the Pond…
EU General Data Protection Regulation
The EU Data Protection Directive – which informed the Safe Harbor agreement – is soon to be superseded by the EU General Data Protection Regulation, a pan-European law that will harmonise data protection across EU member states.
- All organisations that collect, process or store information will have to meet the GDPR’s requirements, or face penalties of up to €20 million – or 4% of turnover, which in the case of global Internet companies could be billions.
Implementing an information security management system (ISMS), as described in the international best-practice standard ISO 27001, is the sensible route to compliance.