The European Commission has adopted the legal framework for international data transfers between the US and the European Union. The framework concerns the new data protection agreement ´privacy shield´, which concerns international transfers made to US entities. US entities can be certified from 1 August, and may import personal data without the need for exporting European entities to have to seek authorisation from the various European authorities on data protection.
The ´privacy shield´agreement arises from the need to provide legal certainty to commercial relations between the European Union and the United States involving transfers of personal data, following the canceling on 6 October 2015 of the ‘Safe Harbor’ agreement.
This new regulatory framework began to take shape on 2 February 2016, when the European Commission and the US government reached a political agreement to develop the exchange of personal data for commercial purposes. It materialised in a draft decision on 29 February following an opinion from the Article 29 Working Party and a European Parliament resolution.
What are the implications of this ´privacy shield´? It places obligations on companies processing personal data. The US Commerce Department will have the power to conduct regular reviews of privacy shield member entities to ensure their compliance with the regulatory framework. Another feature is that, in cases of subsequent transfers to third parties from a privacy shield-attached entity, such parties should ensure the same level of protection.
The privacy shield also provides for greater transparency in relation to data accessed by the US administration. The indiscriminate surveillance data carried by US authorities will be subject to restrictions, safeguards and monitoring mechanisms. In addition, the North American Secretariat of State has introduced a mechanism enabling European citizens to appeal the processing of data by the US authorities through a mediation system within the Department of State and independent of the US National Security Agency.
The privacy shield also enables the effective protection of the individual rights of European citizens with various channels for appealing against private entities, namely: appealing to the entity attached to the privacy shield, which must be resolved within a maximum period of 45 days; through a court and free dispute resolution system; before the National European data protection authorities, which will collaborate with the US Federal Trade Commission to ensure that the claims made by European citizens are investigated and resolved; alternatively, if not resolved by the above mentioned mechanisms, there is an arbitration mechanism.
There will also be an annual review of how the privacy shield is functioning. It will be carried out by the European Commission and the United States Department of Commerce.
Jesús Yáñez is a partner at Ecija. He can be contacted at email@example.com