By George Markopouliotis
Last week the European Commission adopted the EU-US Privacy Shield, a robust new system which protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States and ensures legal certainty for businesses.
This new framework reflects the requirements set out by the European Court of Justice in its ruling in October 2015, which declared the old Safe Harbour framework invalid.
The European Commission worked together with the European data protection authorities, the European Parliament, the Member States and our US counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data.
The EU-US Privacy Shield is based on the following principles:
Firstly, strong obligations on companies handling data: under the new arrangement, the US Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list.
Secondly, written assurance from the US government, to be published in the federal register, that the access of public authorities to the data for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
The US explicitly assures that there is no indiscriminate or mass surveillance.
There will be an annual joint review to regularly monitor the functioning of the arrangement and the commitments made.
Thirdly, easy redress possibilities for Europeans in case of complaints about how their data is handled, whether it is by private companies or by the government.
Since releasing the first draft of the Privacy Shield in February, the European Commission has been able to make it even better and clearer by taking on board the recommendations of Europe’s independent data protection authorities, as well as a relevant resolution of the European Parliament.
The Commission has also been in a close dialogue with business, consumer and privacy associations and of course our Member States, who in early July gave their overwhelming support to the Privacy Shield.
Our attention must now turn to getting the Privacy Shield up and running in practice. It’s important that businesses can quickly sign up to the Privacy Shield, ending a period of uncertainty after last year’s Court ruling.
And it’s equally important that individuals – whether as consumers or employers – have comprehensive information about how their rights are guaranteed.
This is why the European Commission will soon publish a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.
The EU-US Privacy Shield has enormous potential: Data flows between the two continents are essential to our society and economy. By protecting fundamental rights of individuals when their personal data is transferred from Europe to the US, and by giving renewed legal certainty to companies that rely on such transfers for their work, the Privacy Shield will strengthen the transatlantic economy and reaffirm our shared values.
George Markopouliotis is head of the European Commission Representation in Cyprus