Update: EU, US reach new Safe Harbor deal

Update for February 29, 2016:

The US and the European Commission have released new details about the proposed Privacy Shield program. We have published a new post about this release here.

Briefly, the US Department of Commerce has released a 132-page package containing the program principles, letters from the FTC, the Department of Transportation, the Office of the Director of National Intelligence, among others —  about how the program would operate and how enforcement and surveillance would work. The package also contains the “Arbitral Model” which describes how binding arbitration would work in the proposed system, as well as a new ombudsman system. According to the Department of Commerce, the full Privacy Shield package will be published in the Federal Register within 30 days of an adequacy determination.

The European Commission also released information and documents today, including a FAQ, a Fact Sheet, and most important, a draft Adequacy Decision.

Feb. 2, 2016:

The European College of Commissioners have voted to approve a new Safe Harbor deal with the United States. The new arrangement will be called the EU-US Privacy Shield. The arrangement has not been finalized yet, but with this announcement, all parties are publicly in agreement on the path forward.

The European Commission press release hinted at some of the final elements:

” The new arrangement will include the following elements:

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
  • Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
  • Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.”

The agreement will be finalized in the next few weeks by all parties, until then, the details regarding the nuts and bolts of the agreement and its processes are thin. In the meantime, we continue to be interested in particular in the redress reforms that appear to have been put in place. From what we glean from the press statements, the US side will be putting a new Ombudsman in place to oversee complaints regarding access to data by national security authorities.

Related Documents:

European Commission press release 

Statement of the FTC Chairwoman Edith Ramirez

Video of the press conference