On February 29, the European Commission published the full text of the EU-US Privacy Shield Agreement, which deals with privacy issues regarding transfers of personal data – issues that seriously damage transatlantic relations.
Here is a brief history of the agreement:
In 1995, the European Union (EU) adopted a Data Protection Directive based on the OECD’s principles. The Data Protection Directive became effective on October 25, 1998 and required « that transfers of personal data take place only to non-EU countries that provide an ‘adequate’ level of privacy protection. »
On July 26, 2000, the European Commission agreed to adopt the ‘Safe Harbour’ principles to facilitate data flows specifically between the United States and European Union Member States. US companies could now “send and receive European personal data if they self-assessed and self-certified that their data transfer measures were ‘secure.’”
But Safe Harbour was not « secure ». By 2013, Edward Snowden famously leaked information that pushed the EU to take action not only against the Safe Harbour agreement, but also against the NSA’s surveillance programs (i.e., PRISM). Take a look at Ernst-Oliver Wilhelm’s article, which provides a clear outline of many points that were being discussed about Safe Harbour from 2010 to 2015.
In the landmark case Schrems v. Data Protection Commissioner on October 5, 2015, the Court of Justice of the European Union (CJEU) invalidated Safe Harbor on the grounds that it gave insufficient protection against American spy agencies.
« – Greater obligations on companies to publish their commitment to protecting Europeans’ personal data with robust monitoring by the Department of Commerce and enforcement by the Federal Trade Commission
– Companies will have to promise not to collect more personal information than needed for their services
– Clearer safeguards and transparency obligations on US government access by disallowing indiscriminate mass surveillance on personal data and implementing an annual joint review to regularly monitor the functioning of the arrangement
– Providing EU citizens with avenues for redress if their data protection rights become compromised. US companies may be directly liable for violations, and European Data Protection Authorities can refer complaints to the Department of Commerce and the Federal Trade Commission. For complaints regarding possible access by national intelligence authorities, an Ombudsperson will be created to address the concerns. »
The EU announced that it will suspend the agreement « should the current or next US administration fail to adhere to the new rules under the so-called EU-US Privacy Shield. »
Read the EU-U.S. Privacy Shield agreement in full here.