By Cameron Abbott and Meg Aitken
A new trans-Atlantic data transfer framework has been agreed between the European Commission and the United States this week. Known as the ‘EU-US Privacy Shield’, the new arrangement is intended to offer greater legal certainty for businesses and afford EU citizens increased protection when their data is transferred across the Atlantic to the US.
The new regulations will replace the US-EU Safe Harbor framework, which was invalidated by the European Court of Justice last October on the basis that the generalised access that public authorities had to the data and content of electronic communications violated fundamental privacy rights. Read our earlier blog post on the Safe Harbour decision here.
The key features of the new EU-US Privacy Shield are:
- Stronger obligations on US companies to protect the personal data of EU citizens
- More robust enforcement powers granted to both EU and US regulators, including greater monitoring and prosecution by the US Department of Commence and Federal Trade Commission (FTC)
- Clearer conditions, limitations, redress avenues and safeguards for data transferred across the Atlantic
- Expanded obligations for US companies to prove compliance
- Several new avenues for EU citizens to lodge complaints about data misuse, including the establishment of a new independent privacy Ombudsman
The new Privacy Shield is still awaiting final approval from the College of Commissioners and will be subject to further review by the Article 29 Working Party before it is introduced. Much of the detail has not been released, so while the principles have been articulated, the impact on the obligations of affected companies is still far from clear.
Read the European Commission press release here for further details.
Our US and EU colleagues have drafted a more detail description which can be accessed here for further information.