EU, U.S. Announce New Data Sharing Framework
In a press release issued on February 2, 2016, the European Commission announced that it had reached an agreement with the U.S. on a new framework for transatlantic data sharing. According to the press release, the new agreement intends to protect the privacy rights of Europeans who have their data transferred to the U.S. while at the same time providing legal certainty for businesses. To this end the new agreement will contain the following elements:
New Requirements for U.S. Businesses Handling Data of Europeans:
Under the new arrangement, U.S. companies wishing to import personal data from Europe will need to implement substantial obligations regarding how personal data is processed and must guaranty individual rights. To enforce this requirement, the U.S. Department of Commerce will mandate that companies publish their obligations, which will make them enforceable under U.S. law by the FTC. In addition, the new agreement will provide that any company handling human resources data from Europe has to commit to comply with decisions by European Data Protection Authorities.
Limitations and Safeguards Around the Ability of U.S. Public Authorities and Law Enforcement’s Access to Data:
For the first time, the U.S. will ensure that its public authorities, including law enforcement and national security, will be subject to clear limitations, safeguards and oversight mechanisms with regard to its access to the personal data of EU citizens. Any exceptions allowing for access must be used only to the extent necessary and proportionate to the need for accessing the data in the first place. Moreover, as part of the arrangement, the U.S. will not conduct indiscriminate mass surveillance on the personal data transferred to the U.S.
Redress Rights for EU Citizens:
If a EU citizen believes his or her data has been misused under the new arrangement, that citizen will now have the ability to file complaints against companies with a European Data Protection Authority, which, in turn, may refer complaints to the Department of Commerce and FTC. Companies receiving complaints will have deadlines for replying.
The newly announced framework comes after the previous data sharing pact between the EU and U.S. was struck down in October of last year after.
Previously in place for 15 years, the struck-down data sharing pact enabled U.S. companies that handled European users’ data—such as Web search histories and social media updates—to bypass Europe’s strict data privacy laws, which tightly govern how such data can be gathered and used. After the previous data sharing pact was struck down, the EU data protection agencies provided a safe harbor period through January 2016 to allow a replacement data sharing agreement to be reached between the EU and U.S. Without the new data sharing framework in place, EU agencies would likely have undertaken coordinated enforcement actions to ensure companies comply with the EU data protection requirements.