EU and US Authorities Agree to Stronger Data Protection for Transatlantic Data Flows

Privacy International Regulation
European CommissionBy Tim Saviola – Edited by Ariane Moss Press Release, EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield (Strasbourg, February 2, 2016) The European Commission and the United States have agreed on a new Privacy Shield to govern the usage and protection of data of European citizens when their data passes into the United States. The agreement, announced on February 2, 2016, creates a new set of data protection obligations for US companies when managing data of European citizens. US and EU authorities will also be able to better monitor and enforce the new regime. Negotiations were prompted by the invalidation of the older “safe harbor” scheme adopted by the European Commission in 2000. Under those provisions, data from European countries could be shared with US companies if certain outlined privacy principles were complied with.  However, after an Austrian citizen complained that his Facebook data was inadequately protected due to US government surveillance revealed by Edward Snowden, the European Court of Justice overturned the safe harbor principles. In the 2015 Schrems decision, the court stated that because US law permitted national security and law enforcement usage of the data to trump the safe harbor data protections, the scheme “enables interference . . . with the fundamental rights of [European] persons.” Maximillian Schrems v Data Protection Commissioner, 2015 E.C.R. C-362/14. The new EU-US Privacy Shield has several pillars designed to better protect European consumers and their personal data when shared with US companies. Companies wishing to do business with EU Member States will need to commit to “robust obligations on how personal data is processed” which will be subject to enforcement under US law by the Department of Commerce and Federal Trade Commission. New limitations are being placed on US government access of European data, including elimination of dragnet surveillance and oversight mechanisms for other national security usage of data. EU citizens will also have new abilities to challenge data misuse through complaints that companies must respond to, and which are subject to DOC and FTC referral and enforcement action. EU Commissioner Věra Jourová hailed the new agreement as the first time that “the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.” Vice President Andrus Ansip, leader of the Digital Single Market project team, noted the benefits to EU consumers and to small businesses seeking to do transatlantic business. The agreement has also been endorsed by a number of lobbying and business groups that benefit from increased certainty for the legal status of EU/US data flows including The Information Technology Industry Council, DigitalEurope, and the International Chamber of Commerce (ITIC). The ITIC supports the new EU-US Privacy Shield as promoting business between the regions by articulating a reliable framework while upholding fundamental rights concerning data. Others, such as European Digital Rights, an international privacy advocacy group, have been more critical of the new agreement, arguing that it does not go far enough and compromises the EU’s negotiating position. The Article 29 working party, which is a pan-European data regulator group that has been examining the Privacy Shield, has also come out in recent days criticizing the agreement. While the working party’s criticisms are not direct law, it could provide a template for national data regulators across the continent to challenge the new shield as inadequately protecting against surveillance and mass data collection. The final details of the Privacy Shield agreement are scheduled to be adopted by the EU in June. If modifications are not made, the new laws could be challenged by courts across the continent after they are put into place. It remains to be seen if the new protections established by the agreement will meet European standards for fundamental data rights, and how this will impact both European consumers and companies operating across the Atlantic. Tim Saviola is a 1L at the Harvard Law School interested in technology, regulation, and space law, among others.