Organizations that transfer personal data to the United States can breathe a sigh of relief for the time being: At the last minute, the EU and the United States have agreed on the EU-U.S. Data Privacy Shield. This Privacy Shield is supposed to safeguard the data flows from the European Union to the United States in terms of data protection law in the future, after the European Court of Justice invalidated the “Safe Harbor” Treaty that had been applicable until then in October 2015. Subsequently, the supervisory authorities set the European Commission a deadline until the end of January 2016 for negotiating a successor agreement with the U.S.
According to an official statement issued by the EU Commission, the treaty contains, in particular, the following elements:
• As has been possible so far also under Safe Harbor, U.S. companies can commit themselves to meet the criteria of the Privacy Shield, which are still to be determined. The U.S. Department of Commerce will monitor whether these commitments are made publicly accessible. The U.S. Federal Trade Commission will monitor the performance of the obligations in legal terms.
• U.S. companies that process employee data from the EU must submit to the standards set by the European supervisory authorities.
• The U.S. authorities assured the EU that access to information by public authorities, which also include intelligence agencies, will be subject to clear limitations, safeguards, and oversight mechanisms.
• Indiscriminate mass surveillance is ruled out.
• The EU Commission and the U.S. Department of Commerce will review annually whether the treaty functions in practice and whether the personality rights of EU citizens are effectively protected. The data protection authorities will also be involved in this review.
• There will be an ombudsperson to register complaints of EU citizens about possible access of US intelligence agencies to their data.
• Companies must respond to complaints about possible data misuse by a certain deadline.
• It is intended for EU citizens to be entitled to have recourse to the U.S. courts.
The “Privacy Shield” Treaty is currently only a political agreement; it has not yet been laid down in writing and therefore it does not have any official content so far.
The data protection authorities have now set the EU Commission another deadline until the end of February 2016 to submit all documents regarding the new treaty. Subsequently, all options currently coming into consideration for data transfer to the United States – apart from the Privacy Shield, these include the EU standard contractual clauses and Binding Corporate Rules – are intended to be conclusively reviewed. Until then, the previous methods can still be used.
The unclear legal situation has thus not been remedied for companies by this official statement. Until a final assessment has been made by the supervisory authorities with regard to all available instruments, companies must continue to rely on the EU standard contractual clauses and/or Binding Corporate Rules for the time being.
© 2016 CMS Law. Tax – a member of the EACCNY