EC Publishes ‘Safe Harbour 2.0’ Privacy Shield Details

The European Commission (EC) has published the details of the personal data transfer agreement it agreed with the United States earlier this month, saying the agreement puts in place stronger oversight arrangements than the ‘Safe Harbour’ mechanism, which was annulled last year amidst concerns over mass data collection programmes by the US government.

Called ‘Privacy Shield’, the arrangement requires US companies wishing to transfer the personal data of European citizens to the US to register annually, and places stronger oversight obligations upon the US Department of Commerce and Federal Trade Commission (FTC), the EC said.

EU-US cooperation

Those obligations include increased cooperation with European data protection authorities, with an annual joint review.

“The new arrangement includes written commitments and assurance by the US that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access,” the Commission stated.

The agreement also puts in place several mechanisms for resolving disputes, including a US-appointed Ombudsperson independent of government intelligence services.

Companies taking part in Privacy Shield are to be obliged to resolve disputes within 45 days, and to provide free-of-charge alternative dispute resolution systems, according to the Commission. Citizens can also turn to national data protection authorities, which can work with the US Department of Commerce and FTC to resolve disputes, the EC said.

Mass surveillance

The EU has been negotiating a new data-transfer agreement with the US for the past two years, following revelations in 2012 over the extent of the US government’s data collection programmes. The previous ‘Safe Harbour’ agreement was invalidated last October, before the new arrangement could be put into place, leaving multinational companies vulnerable to legal action if they didn’t have alternative mechanisms in place.

The EC said the new agreement, formally published on Monday in the form of a draft “adequacy decision”, provides sufficient oversight and remediation protections to protect EU citizens’ personal data from misuse in the US by either government or private organisations.

“The EU-US Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds,” stated Věra Jourová, European commissioner for justice, consumers and gender equality.

Oversight

The Commission also cited recent US reforms that have placed limits on US intelligence services’ ability to carry out mass surveillance.

Companies who register for the arrangement are to self-certify that they meet its conditions, with the US Department of Commerce committed to actively verifying that companies’ privacy policies are in line with the relevant Privacy Shield statues and are readily available, according to the EC.

US regulators have committed to maintaining an updated list of current Privacy Shield members and removing companies that have left the arrangement, as well as ensuring that companies who are no longer part of Privacy Shield continue to apply its statues to personal data acquired when they were members, the Commission said.

The Commission said it will shortly propose the new agreement for approval by the European Parliament, after which it can be adopted by the European Council.

Are you a security pro? Try our quiz!