Safe Harbour 2.0 gets green light from member states, comes into force immediately
The European Commission has officially adopted the EU US Privacy Shield framework, measures that should ensure the protection of EU citizen data in its transfer to the United States.
“We have approved the new EU-US Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses,” said the European Commission’s Digital Single Market vice president, Andrus Ansip.
“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.
Safe Harbour 2.0
The official adoption comes after months of debate, culminating in European Union member states giving the framework the go ahead on July 8.
Known as Safe Harbour 2.0, the reworked Privacy Shield framework is designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data transfer rules. The deal had to be amended multiple times, as member states concluded original plans were not strict enough.
But the Commission has said the agreed framework is now robust enough to protect the data of European citizens.
“It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints,” added Vera Jourova, Commissioner for Justice.
“The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our US counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data”.
What does Privacy Shield enforce?
• Strong obligations on companies handling data: Under the new arrangement, the US Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to.
If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
• Clear safeguards and transparency obligations on US government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms.
Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The US has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-US Privacy Shield arrangement.
• Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms.
Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered.
• Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes.
The European Commission and the US Department of Commerce will conduct the review and associate national intelligence experts from the US and European Data Protection Authorities. The Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.