New EU-U.S. data protection deal reached

Published

On Tuesday, the representatives of the European Union and the United States agreed upon a new framework for transatlantic transfers of personal data, called “the EU-U.S. Privacy Shield”. The arrangement will, if implemented, replace the invalidated Safe Harbor principles. Even though a significant amount of work still remains before the new framework can enter into force, the new arrangement is expected to be in place within three months.

On the 6th of October 2015, the Court of Justice of the European Union invalidated the previous decision by the European Commission that the Safe Harbor principles ensured an adequate level of protection for personal data. The Court’s decision complicated transfers of personal data from the EU to the U.S. for thousands of companies, as they no longer could rely on the Safe Harbor principles. Instead, the companies’ transfers had to be supported by a different legal ground, for example consent from the registered individual or an agreement between the parties containing the EU standard contractual clauses.

The deal reached on the 2nd of February will, if implemented, replace the Safe Harbor principles and once again facilitate a legal transfer of personal data from the EU to the U.S. and at the same time provide stronger protection for the registered individuals’ fundamental rights. Three of the EU-U.S. Privacy Shield’s major effects are the following.

  • American companies receiving personal data from the EU will need to commit to obligations regarding how personal data is processed and how individual rights are guaranteed. The companies will be obligated to publish their commitments and will be monitored by the U.S. Department of Commerce. The published commitments will be enforceable under U.S. law.
  • The U.S. have assured in writing that the American public authorities’ access to personal data will be clearly limited and subject to safeguards and oversight mechanisms. An annual joint review will be held to monitor the functioning of the arrangement.
  • If an EU citizen considers that their personal data has been used in an unlawful manner according to the new framework, there will be several redress possibilities. The registered individual may choose to directly turn to the American company, to European data protection agencies which may refer the complaint to the relevant American public authority, to use alternative dispute resolution free of charge or, if the matter concerns acts of the U.S. national intelligence agencies, contact an ombudsman that will be created.

The process going forward for the EU includes consultation with both the Article 29 Working Party and a committee composed of representatives from all member states, before a formal decision to approve the deal can be made. Meanwhile, the U.S. will take the measures needed in order to put the new framework in place.

A considerable amount of work still lays ahead for the EU and the U.S. before the EU-U.S. Privacy Shield can enter into force and the decisions taken in the upcoming weeks will be crucial. However, if everything proceeds as planned, future transatlantic transfers of personal data will be greatly facilitated.

Time is one of Sweden’s leading law firms in matters regarding personal data law and IT and technology law. We offer legal advice customized for your business, for example regarding transatlantic transfers of personal data or regarding the upcoming EU data protection reform. If your company needs legal support, you are welcome to contact us.