On July 12th 2016, the European Commission adopted the substitute for the Safe Harbor, the data protection agreement previously signed between the Commission and the United States Department of Commerce in 2010. This new agreement is referred to as the “Privacy Shield”.
As a reminder of the present state, the European Union Court of Justice “Schrems” decision on October 6th 2015 has invalidated the Safe Harbor agreement, stating that such agreement did not provide enough data protection for European citizens. The Safe Harbor was supposed to provide a legal framework on data transfer from European Union to the United States.
The new Privacy Shield is meant to be the substitute of the Safe Harbor. It is the result of negotiations between the European Commission and the American authorities since 2014.
The Privacy Shield is a flexible self-certificating mechanism provided to U.S. companies. Nevertheless, the U.S. pledged for controlling these companies and sanctioning any of their wrongdoings.
Companies will be able to transfer European citizen’s data to their US datacentres as long as this data collection is matching the reason why the data are sent to them in the first place. If the companies’ needs are changing, European citizens will be allowed to prevent their data to be continuously transferred to the U.S. Only sensitive data transfers will require prior consent (e.g. health, religion, political views…). This consent will be a unique one until the companies want to use those data for different purposes.
U.S. companies will be allowed to keep European data as long as they are using it for their original purposes.
Regarding the mass surveillance and data gathering, part of the reason why the Privacy Shield has been set up for, the United States pledged for a non-usage of any European personal data massive and systematic surveillance. In practice, it indicates that the U.S. can no longer gather European data in a massive and indiscriminate way: their future surveillance must be precise and targeted.
Only one major exception remains within the core of the agreement: the American Intelligence and law enforcements will keep on intercepting and using data from European citizens in a massive way whenever a precise and targeted collect is made technically impossible. However, the U.S. Intelligence Community (organisation of 16 separate government agencies, including the NSA) director stated that “massive” was different from “indiscriminate”: the Intelligence will still put filters in order to minimize the collection of irrelevant data.
European citizens will be able to directly complain to the company in case of any misuse of their data. The company will decide whether or not to proceed with the complaint. Citizens also have the ability to inform their own national data protection authorities (Autoriteit Persoonsgegevens (NL), Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (DE), Commission Nationale de l’Informatique et des Libertés (FR), etc.) about a potential misuse of their data, in which case the authority will collaborate with the U.S. Federal Trade Commission in order to examine and possibly put an end to the breach.
Companies, which wish to be bound with the Privacy Shield, must ask for a certification before the American governmental authorities, starting August 1st 2016. For the time being, IT Giants such as Microsoft and Salesforce have already decided to comply with the new data protection requirements, followed by Google Inc. The latter announced its decision to submit its certification of adherence on August 30th 2016.
Alexandre Sainz