Following the European courts’ rejection of the EU-US Umbrella Agreement and the 2000 EU-US Safe Harbor decision discussed in November, negotiators announced a new framework on February 2, 2016. This framework is not a treaty but rather an executive agreement between the U.S. and the EU that in the words of EU Commissioner Jourová “for the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.”
It is important to understand the European and American views of privacy are significantly different and can be related directly to differing national experiences. Privacy laws in the EU are much stricter than in the US. The agreement is designed to ensure that personal data of European citizens held by private companies that is transferred from Europe to the United States in the course of normal business is better protected from government monitoring.
The arrangement includes the following:
• Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The U.S. Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European Data Protection Agencies (DPAs).
• Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
• Effective protection of EU citizens’ rights with several redress possibilities: Any E.U. citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
What are the implications?
• Primarily it will allow U.S. companies to continue to do business in Europe in an efficient manner. Data can be stored in the US or in Europe wherever it makes the best business sense. Separating out EU citizen data would have imposed additional costs and required the establishment of data centers in the EU.
• U.S. companies will have to accept and publish E.U. acceptable data storage policies and practices. The US Federal Trade Commission will have increased oversight of privacy issues.
• E.U. citizens will have increased options for redress in cases where they believe that their personal information may have been improperly accessed or disclosed.
What will happen next? It is highly likely that the agreement will be challenged in European courts. The suspicion of the U.S. intelligence and national security agencies remains very high in the wake of the Snowden revelations and this is unlikely to diminish soon. For at least the near-term businesses can continue to operate.
For more information refer to the International Relations chapter of Protecting our Future, Educating a Cybersecurity Workforce Vol. 2 available at http://www.nationalcybersecurityinstitute.org/publications/protecting-our-future/
Newmeyer, K. (2015, November 5). Data Protection, Data Storage, and the complications of international business. Retrieved from http://www.nationalcybersecurityinstitute.org/international/data-protection-data-storage-and-the-complications-of-international-business/
European Commission (2016, February 2).EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield. Retrieved from http://europa.eu/rapid/press-release_IP-16-216_en.htm