The United States Department of Commerce and the European Commission (EC) have reached an agreement this month on a new framework for transatlantic data flow that enables continuous sharing of commercial data between nations while protecting fundamental rights related to Europeans' personal data.
The framework, called the EU-US Privacy Shield, places stronger obligations on U.S. companies to protect European data, imposing stronger monitoring and enforcement by the U.S. Department of Commerce and the U.S. Federal Trade Commission (FTC), and increased cooperation with European Data Protection Authorities (DPAs).
Under the agreement, the U.S. has ruled out indiscriminate mass surveillance of personal data transferred overseas, and there will be an annual joint review to monitor the framework's effectiveness. Transatlantic data transfers are used in various industries such as when consumer data is shared to complete travel, credit card transactions, or other e-commerce transactions.
The deal, which is awaiting approval by the 28 European Union (EU) member states, comes months after the European Court of Justice struck down the U.S.-EU Safe Harbor Framework amidst concerns of mass surveillance in the wake of the Edward Snowden revelations and fears that European citizens' data was being inadequately protected in the hands of U.S. companies. Since 2000, the Safe Harbor agreement had permitted companies to transfer data across the Atlantic to support trade and businesses, though it prohibited the transfer of personal data to non-EU countries that did not meet the EU "adequacy" standard for privacy protection. In late 2015, the EU court determined that the pact violated the privacy of Europeans' personal information, impacting major commerce and technology companies.
This month, the EC released a comprehensive list of fundamentals that the new deal enforces, with the following requirements:
Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the FTC. In addition, any company handling human resources data from Europe has to commit to comply with decisions by the DPAs.
Clear safeguards and transparency obligations on U.S. government access: For the first time, the U.S. has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The EC and the Commerce Department will conduct the review and invite national intelligence experts from the U.S. and the European DPAs to it.
Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies will have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the FTC. In addition, alternative dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
The deal has garnered support from U.S. stakeholders, with at least one member of Congress commenting that the framework is a necessity for thousands of businesses and serves as a crucial marker to rebuild trust with international allies. U.S. Commerce secretary Penny Pritzker stated that the deal is "a major achievement for privacy and for businesses on both sides of the Atlantic." BusinessEurope Director General Markus Beyrer also underscored that the agreement provides a reliable network for international data transfer.
The American National Standards Institute (ANSI) recognizes the importance of data privacy and security. The ANSI cybersecurity portal includes information on contributions that ANSI, its members, and the broader standardization community have made to address cybersecurity as well as the protection of personal data and privacy.