European Commission joins Microsoft in adopting EU-US Privacy Shield

Kit McDonald

The open and available information spread across the internet is always a growing concern for users and businesses. Personal and confidential information spreading through hacks or carelessness can be a very real threat. Microsoft has always maintained a stance that privacy is a fundamental human right and after the collapse of the US-EU Safe Harbour agreement last autumn, the company was quick to offer solutions to bring back safety and security. Today, the European Commission released a press release announcing the official launch of the EU-US Privacy Shield.

After the European Court of Justice ruled last October that the Safe Harbour framework was invalid, a new framework was necessary to take its place with more defined requirements. The European Commission and the U.S. Government reached an official agreement on February 2, 2016 to build a framework that would better protect the personal data being transferred.

The proposal draft was submitted on February 29, 2016. Not surprisingly, Microsoft was the quickest to sign up to support the new framework just a few weeks later. After months of dedication and resolutions, the EU-US Privacy Shield was officially adopted today, July 12, 2016.

Taking a page from Microsoft’s book, the press release states that the EU-US Privacy Shield will protect the “fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.”

The EU-U.S. Privacy Shield is based on the following principles:

  • Strong obligations on companies handling data: under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement. The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State.
  • Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.
  • Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. The Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.

Yesterday, Microsoft made a statement about the decision, citing it as “an important achievement for the privacy rights of citizens across Europe and for companies across all industries that rely on international data flows to run their businesses and serve their customers.” Microsoft’s Vice President of EU Government Affairs John Frank’s full ovation for the launch of the EU-US Privacy Shield can be read on the EU Policy Blog.