Today, political agreement has been reached on the new solution to replace the Safe Harbor regime, the so-called “EU-US Privacy Shield”. The College of Commissioners have approved the new framework which, according to the European Commission press release, “will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses“.
This sudden announcement comes hours after it was announced that there was no deal yet on “Safe Harbor 2.0”.
According to the European Commission, the EU-US Privacy Shield reflects the CJEU’s recommendations as set out in the Schrems decision. In particular, the new framework will include the following:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement (including that companies importing EU data will need to commit to “robust” obligations which will be monitored by the Department of Commerce and ultimately enforced by the FTC);
- Clear safeguards and transparency obligations on US government access (including, for the first time, assurances that there will be limitations, safeguards and oversights placed on public bodies having access to EU data);
- Effective protection of EU citizens’ rights with several redress possibilities (including the creation of a new “Ombudsperson” to deal with any complaints about access for surveillance purposes).
No draft has been issued yet. The next step is for a “adequacy decision” to be drafted by Vice-President Ansip and Commissioner Jourova. The intention is then for this draft to be adopted by the College of Commissioners following “advice” from the Article 29 Working Party and further representatives of Member States. During the Q&A session yesterday with Commissioner Jourova, it was also hinted at that the new solution may need to be reviewed by the CJEU to pre-empt another complaint being received. This was not mentioned in the Commission’s Press Release today.
Next question: how will the A29WP react? We find out tomorrow.