EU and US Propose PrivacyShield to Replace Defunct Safe Harbor

The European Commission and the United States have agreed on a new framework to replace Safe Harbor, the EU-US Privacy Shield.

The new framework will protect the fundamental rights of Europeans where their data is transferred to the United States, and ensure legal certainty for businesses.

After EU and US negotiators failed to agree on a replacement to the Safe Harbor data sharing agreement by the 31 January deadline, the EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.

The new arrangement will provide stronger obligations on companies in the USA to protect the personal data of Europeans, and ensure stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.

The US Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European data protection laws.

Also, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.

Europeans will have the right to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

EU Vice President Andrus Ansip said: "We have agreed on a new strong framework on data flows with the US. Our people can be sure that their personal data is fully protected. Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic.

“We have a duty to check and we will closely monitor the new arrangement to make sure it keeps delivering. Today's decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US. We will work now to put it in place as soon as possible.”

Commissioner Vera Jourová said: “For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.

“Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”

Dave Allen, SVP and General Counsel at Dyn, said: “While there is no silver bullet for compliance with the emerging regulatory regimes that govern data flows, visibility into routing paths along the open Internet and private networks need to be seriously considered by businesses that rely on the global Internet to serve their customers. In this era of emerging geographic restrictions, having access to traffic patterns in real time, along with geo-location information, provides a much more complete solution to the challenges posed by the EU-US Privacy Shield framework.”

Deema Freij, global privacy officer at Intralinks, said: “Today’s announcement of the EU-US Privacy Shield finally marks the arrival of ‘Safe Harbour 2.0’. Despite some scepticism from human rights and privacy organisations, this will make transfers to the US legal under European law.

“The demise of Safe Harbour 1.0 told companies it’s good to have back-up plans and options should one legal route be shut off. The release of Safe Harbour 2.0 is very much another option for companies should they want to take it. So do businesses need to do anything now?

However PrivacyShield was not welcomed with complete optimism. Whistle-blower Edward Snowden called it an “accountability shield”. He said: “Never seen a policy agreement so universally criticized” via Twitter.

What’s Hot on Infosecurity Magazine?