EU – USA : Privacy Shield – New Stronger Protection Rules


UE-États-Unis: Bouclier de protection des données – Une protection renforcée

eu_usa_shield

Strong obligations on companies handling data; Clear safeguards and transparency obligations on U.S. government access; Effective protection of individual rights; Ombudsperson mechanism – Des obligations strictes pour les entreprises qui traitent des données; un accès des pouvoirs publics américains soumis à des conditions claires et à des obligations de transparence ; mécanisme de médiation ; une protection effective des droits individuels…

Other available languages: DE DA ES NL IT SV PT FI EL CS ET HU LT LV MT PL SK SL BG RO HR

***

Brussels, 12 July 2016 – This new framework This decision enters into force upon notification to Member States protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers. [Adequacy decision] [Annexes]

Andrus Ansip, Commission Vice-President for the Digital Single Market, said: “We have approved the new EU-U.S. Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data”. [full remarks]

The EU-U.S. Privacy Shield is based on the following principles:

* Strong obligations on companies handling data: under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.

* Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement. The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State.

* Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.

* Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. The Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.

Since presenting the draft Privacy Shield in February, the Commission has drawn on the opinions of the European data protection authorities (Art. 29 working party) and the European Data Protection Supervisor, and the resolution of the European Parliament to include a number of additional clarifications and improvements. The European Commission and the U.S. notably agreed on additional clarifications on bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies as regards limits on retention and onward transfers.

Next steps:

The “adequacy decision” will be notified today to the Member States and thereby enter into force immediately. On the U.S. side, the Privacy Shield framework will be published in the Federal Register, the equivalent to our Official Journal. The U.S. Department of Commerce will start operating the Privacy Shield. Once companies have had an opportunity to review the framework and update their compliance, companies will be able to certify with the Commerce Department starting August 1. In parallel, the Commission will publish a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.

Background

On 2 February 2016 the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic exchanges of personal data for commercial purposes: the EU-U.S. Privacy Shield [IP/16/216.] The Commission presented the draft decision texts on 29 February 2016. Following the opinion of the article 29 working party (data protection authorities) of 13 April and the European Parliament resolution of 26 May, the Commission finalised the adoption procedure on 12 July 2016.

European Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows

The EU-U.S. Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. [Factsheet]

*

Le bouclier de protection des données UE-États-Unis: une protection renforcée pour les flux de données transatlantiques

Bruxelles, le 12 juillet 2016 – Le nouveau cadre protège les droits fondamentaux de tout citoyen de l’UE dont les données à caractère personnel sont transférées vers les États-Unis tout en apportant de la clarté juridique aux entreprises qui ont recours à des transferts de données transatlantiques. [Décision constatant le caractère adéquat du niveau de protection]

M. Andrus Ansip, vice-président de la Commission européenne chargé du marché unique numérique, a déclaré à ce propos: «Nous avons approuvé aujourd’hui le nouveau bouclier de protection des données UE-États-Unis. Ce dispositif protégera les données à caractère personnel de nos citoyens et apportera de la clarté aux entreprises. Nous avons travaillé d’arrache-pied avec l’ensemble de nos partenaires européens et américains afin de parvenir à un accord adéquat dans les plus brefs délais. Les flux de données entre nos deux continents sont essentiels pour notre société et pour notre économie. Nous disposons à présent d’un cadre solide garantissant que ces transferts se dérouleront dans des conditions optimales, y compris sur le plan de la sécurité.»

Mme Věra Jourová, commissaire européenne chargée de la justice, des consommateurs et de l’égalité des genres, a quant à elle déclaré: «Le bouclier de protection des données UE-États-Unis est un nouveau système solide destiné à protéger les données à caractère personnel des Européens et à procurer une sécurité juridique aux entreprises. Il prévoit des normes renforcées en matière de protection des données, assorties de contrôles plus rigoureux visant à en assurer le respect, ainsi que des garanties en ce qui concerne l’accès des pouvoirs publics aux données et des possibilités simplifiées de recours pour les particuliers en cas de plainte. Le nouveau cadre rétablira la confiance des consommateurs dans le contexte du transfert transatlantique de données les concernant. Nous avons travaillé de concert avec les autorités européennes de protection des données, le Parlement européen, les États membres et nos homologues américains afin de mettre en place un dispositif reposant sur les normes les plus élevées en vue de protéger les données à caractère personnel des Européens.»

Le bouclier de protection des données UE-États-Unis est fondé sur les principes suivants:

* des obligations strictes pour les entreprises qui traitent des données: dans le cadre du nouveau dispositif, le ministère américain du commerce procédera régulièrement à des mises à jour et à des réexamens concernant les entreprises participantes, afin de veiller à ce qu’elles observent les règles auxquelles elles ont souscrit. Les entreprises dont la pratique ne sera pas conforme aux nouvelles règles s’exposeront à des sanctions et à une radiation de la liste des entreprises adhérant au dispositif. Grâce au durcissement des conditions applicables au transfert ultérieur de données à des tiers, le même niveau de protection sera assuré en cas de transfert de ce type par une entreprise participante;

* un accès des pouvoirs publics américains soumis à des conditions claires et à des obligations de transparence: les États-Unis ont donné à l’Union européenne l’assurance que l’accès des pouvoirs publics aux données à des fins d’ordre public et de sécurité nationale serait soumis à des limitations, à des conditions et à des mécanismes de surveillance bien définis. De même, tous les citoyens de l’Union bénéficieront pour la première fois de mécanismes de recours dans ce domaine. Les États-Unis ont exclu toute surveillance de masse systématique des données à caractère personnel transférées vers leur territoire dans le cadre du bouclier de protection des données UE-États-Unis. Le cabinet du directeur du renseignement national a également précisé que le recours à la collecte de données en vrac serait soumis à certaines conditions préalables et que cette collecte devrait être aussi ciblée et précise que possible. Il a détaillé les garanties mises en place pour l’utilisation de données dans de telles circonstances exceptionnelles. Le secrétaire d’État américain a instauré une possibilité de recours pour les Européens dans le domaine du renseignement national en créant un mécanisme de médiation au sein du département d’État;

* une protection effective des droits individuels: tout citoyen estimant que les données le concernant ont fait l’objet d’une utilisation abusive dans le cadre du bouclier de protection des données bénéficiera de plusieurs mécanismes accessibles et abordables de règlement des litiges. Idéalement, l’entreprise elle-même donnera suite à la plainte ou des solutions gratuites de règlement extrajudiciaire des litiges seront proposées. L’intéressé pourra également s’adresser à son autorité nationale de protection des données, qui collaborera avec la commission fédérale du commerce pour que les plaintes déposées par les citoyens de l’Union soient examinées et réglées. Lorsqu’un litige n’aura pas été réglé par l’un de ces moyens, un mécanisme d’arbitrage sera disponible, en dernier ressort. La possibilité d’un recours dans le domaine de la sécurité nationale ouvert aux citoyens de l’UE passera par un médiateur indépendant des services de renseignement des États-Unis;

* un mécanisme de réexamen annuel conjoint: ce mécanisme permettra de contrôler le fonctionnement du bouclier de protection des données, et notamment le respect des engagements et des assurances concernant l’accès aux données à des fins d’ordre public et de sécurité nationale. Le réexamen sera mené par la Commission européenne et le ministère américain du commerce, lesquels y associeront des experts nationaux du renseignement travaillant au sein des autorités américaines et européennes de protection des données. La Commission s’appuiera sur toutes les autres sources d’information disponibles et adressera un rapport public au Parlement européen et au Conseil.

Depuis la présentation du projet de bouclier de protection des données en février, la Commission a tenu compte de l’avis des autorités européennes de protection des données (le groupe de travail «article 29»), du point de vue du Contrôleur européen de la protection des données et de la résolution du Parlement européen pour y apporter un certain nombre de clarifications et d’améliorations. La Commission européenne et les États-Unis se sont notamment mis d’accord sur de nouvelles précisions concernant la collecte de données en vrac, sur le renforcement du mécanisme de médiation et sur des obligations plus explicites pour les entreprises en ce qui concerne les limites applicables à la conservation et au transfert ultérieur des données.

Prochaines étapes:

La décision constatant le caractère adéquat du niveau de protection sera notifiée aujourd’hui aux États membres et entrera en vigueur immédiatement. Aux États-Unis, les textes relatifs au bouclier de protection des données seront publiés au Federal Register, l’équivalent de notre Journal officiel. Le ministère américain du commerce mettra le bouclier de protection des données en service. Dès que les entreprises auront eu l’occasion d’examiner le cadre et de se mettre en conformité, elles pourront obtenir une certification auprès du ministère du commerce à partir du 1er août. Parallèlement, la Commission publiera un guide succinct à l’intention des citoyens, leur expliquant les possibilités de recours au cas où ils estimeraient que des données à caractère personnel les concernant ont été utilisées sans qu’il soit tenu compte des règles en matière de protection des données.

Contexte

Le 2 février 2016, la Commission européenne et le gouvernement des États-Unis sont parvenus à un accord politique sur un nouveau cadre pour les échanges transatlantiques de données à caractère personnel à des fins commerciales: le bouclier de protection des données UE-États-Unis. [ voir le document IP/16/216]

La Commission a présenté le projet de décision le 29 février 2016. À la suite de l’avis rendu le 13 avril par le groupe de travail «article 29» (constitué des autorités de protection des données) et de la résolution adoptée le 26 mai par le Parlement européen, la Commission a clôturé la procédure d’adoption le 12 juillet 2016.

Le bouclier de protection des données UE-États-Unis tient compte des exigences énoncées par la Cour de justice de l’Union européenne dans son arrêt du 6 octobre 2015, qui a invalidé l’ancien régime de la sphère de sécurité.

*

Frequently Asked Questions

What is the EU-US Privacy Shield?

After two and half years of negotiations, the European Commission and the U.S. Department of Commerce on 2 February 2016 reached a agreement on a new framework for transatlantic exchanges of personal data for commercial purposes: the EU-U.S. Privacy Shield (IP/16/216). This new framework will protect the fundamental rights of individuals where their data is transferred to the United States and ensure legal certainty for businesses. On 12 July 2016, following a positive vote from the Member States (article 31 committee) on 8 July, the College of Commissioners formally adopted the Privacy Shield.

The EU-U.S. Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.

The new arrangement will impose stronger obligations on companies in the U.S. to protect the personal data of individuals and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including an increased cooperation with the European Data Protection Authorities. The new arrangement includes written commitments and assurance by the U.S. that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access. The newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals in this context.

What is an adequacy decision?

An “adequacy decision” is a decision adopted by the European Commission, which establishes that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law and international commitments.

The effect of such a decision is that personal data can flow from the 28 EU Member States (and the three European Economic Area member countries: Norway, Liechtenstein and Iceland) to that third country, without any further restrictions.

The EU-U.S. Privacy Shield framework ensures an adequate level of protection for personal data transferred to the U.S. The EU-US Privacy Shield consists of Privacy Principles that companies must abide by and commitments on how the arrangement will be enforced (written commitments and assurance by the State Secretary John Kerry, Commerce Secretary Penny Pritzker, the Federal Trade Commission and the Office of the Director of National Intelligence, amongst others).

What does the new EU-U.S. Privacy Shield bring?

The EU-U.S. Privacy Shield addresses both the recommendations made by the Commission in November 2013 and the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.

The new agreement will include:

° Strong obligations on companies handling data

* Regular reviews of participating companies by the Department of Commerce as to their compliance with the applicable data protection rules.

* The new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the Privacy Shield list.

* Tightened conditions for onward transfers to third parties by the companies participating in the scheme. The obligation to provide the “same level of protection” was further clarified during the adoption process and includes now an obligation for the third party concerned to inform the Privacy Shield company when it is no longer able to ensure the appropriate level of data protection, which will then have to take appropriate measures.

* The existing limitation of data retention has been made more explicit. Companies may keep personal data only as long as this serves the purpose the data was collected for.

° Clear limitations and safeguards with respect to U.S. government access

* Strong commitments in written form by the Office of the Director of National Intelligence (White House), ruling out indiscriminate mass surveillance on data transferred under the Privacy Shield arrangement.

* In the course of the adoption process, the Office of the Director of National Intelligence further clarified through an additional document how bulk collection of data could only be used under specific preconditions and needs to be as focused as possible, in particular through the use of filters and the requirement to minimise the collection of non-pertinent information. It also explains which safeguards are in place for the use of such data. The new document once more rules out the use of indiscriminate mass surveillance by the U.S.

* US Secretary of State John Kerry committed to establishing a redress possibility in the area of national security for EU individuals through an Ombudsperson within the Department of State, who will be independent from national security services. The Ombudsperson will follow-up complaints and enquiries by EU individuals with respect to national security access and confirm to the individual that the relevant laws have been complied with or, in case of non-compliance, that any such non-compliance has been remedied.

* To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and associate national security experts from the U.S. and European Data Protection Authorities to it. The Privacy Shield is a living mechanism, which will be reviewed continuously to check whether it functions well. In case an adequate level of data protection by the Privacy Shield is no longer guaranteed, the European Commission will take the appropriate measures, including the suspension of its adequacy decision.

° Effective protection of European’s rights Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms:

* Ideally, and from experience, the complaint will be resolved by the company itself.

* Privacy Shield companies can opt between free of charge Alternative Dispute resolution (ADR) or voluntary submission to the oversight of the EU Data Protection Authorities.

* In any event, individuals can go to the EU Data Protection Authorities who will channel their complaints to the Department of Commerce and/or the Federal Trade Commission (FTC) to ensure that complaints by individuals are investigated and resolved. These cases should be resolved in a reasonable timeframe: if DPA refers a case to the US, the Department of Commerce will have a deadline to respond. As for the FTC, it has committed to give priority consideration to complaints from individuals.

* If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism available.

* Redress in the area of national security for anyone whose data is transferred to the U.S. will be handled by an Ombudsperson independent from the US intelligence services. During the adoption process the functioning and the independence of the Ombudsperson have been further clarified, in particular its independence and its cooperation with other independent oversight bodies with investigatory powers.

How will the Privacy Shield work concretely?

US companies will register to be on the Privacy Shield list and self-certify that they meet the high data protection standards set out by the arrangement. They will have to renew their registration every year.

The US Department of Commerce will monitor and actively verify that companies’ privacy policies are in line with the relevant Privacy Shield principles and readily available to the public.

The US has committed to maintaining an updated list of current Privacy Shield members and removing those companies that have left the arrangement. The Department of Commerce will ensure that companies that are no longer members of Privacy Shield must still continue to apply its principles to personal data received when they were in the Privacy Shield, for as long as they continue to retain them.

How can individuals obtain redress in the US if their data is misused by commercial companies?

Any individual who considers that his or her data has been misused will have several redress possibilities under the new arrangement:

* Lodge a complaint with the company itself: Companies commit to reply to complaints within 45 days. In addition, any company handling human resources data from individuals has to commit to comply with advice by the competent EU Data Protection Authority (DPA), while other companies may voluntarily make such a commitment. The Commission encourages companies to do so.

* Take their complaint to their ‘home’ DPA: The DPA will refer the complaint to the Department of Commerce, who will respond within 90 days, or the Federal Trade Commission, if the Department of Commerce is unable to resolve the matter.

* Use Alternative Dispute Resolution, a free of charge tool to which US companies may sign up as one of the redress mechanisms required for participation under the Privacy Shield. The companies will be required to include information in their published privacy policies about the independent dispute resolution body where consumers can address their complaints. They must provide a link to the website of their chosen dispute resolution provider and the Department of Commerce will verify that companies have implemented this obligation.

* If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Individuals will be able to have recourse to the Privacy Shield Panel, a dispute resolution mechanism that can take binding decisions against U.S. self-certified companies. It ensures that every single complaint is being dealt with and that the individual obtains a remedy. Several ‘consumer-friendly’ features (e.g. no cost, possibility to participate by video-conference, free of charge translation and interpretation) ensure that individuals are not discouraged from making use of the panel.

What changes have been made in the U.S. since the Snowden revelations?

The U.S. Government and Congress launched important surveillance reforms in response to the Snowden revelations.

In January 2014, President Obama issued Presidential Policy Directive 28 (PPD-28), which imposes important limitations for intelligence operations. It specifies that data collection by the intelligence services should, as a rule, be targeted. Additionally, the PPD-28 limits the exceptional use of bulk collection of data to six national security purposes (counter threats from espionage, terrorism, weapons of mass destruction, threats to cybersecurity or the Armed Forces, or transnational criminal threats) to better protect privacy of all persons, including non-U.S citizens.

Since 2015, the USA Freedom Act also limits bulk collection of data and allows companies to issue transparency reports on the approximate number of government access requests.

The Commission will continuously monitor the situation and follow the upcoming reports of the Privacy and Civil Liberties Oversight Board assessing the implementation of the PPD-28, as well as the review of the Section 702 FISA Programme relating to foreign surveillance due in 2017.

What are the guarantees regarding the national security access to data transferred to the US?

For the first time, the US has given the EU written assurance, to be published in the federal register, that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. The US explicitly assures that there is no indiscriminate or mass surveillance. To regularly monitor the functioning of the arrangement and the commitments made, there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European Data Protection Authorities to it.

What will be the role of the Ombudsperson mechanism?

The possibility for redress in the area of national security for everybody whose data is transferred to the U.S. will be handled by an Ombudsperson, independent from the US intelligence services. This is a new mechanism introduced by the Privacy Shield arrangement.

The Ombudsperson mechanism will deal with individual complaints from individuals if they fear that their personal information has been used in an unlawful way by US authorities in the area of national security. This redress mechanism will inform the complainant whether the matter has been properly investigated and that either US law has been complied with or, in case of non-compliance, this has been remedied.

How are the requirements of the ECJ ruling satisfied?

* Monitoring and oversight

The new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies follow the rules they submitted themselves to. The US has committed to stronger oversight by the Department of Commerce as well as stronger cooperation between European Data Protection Authorities and the Federal Trade Commission. This will transform the system from a self-regulating one into an oversight system that is more responsive as well as proactive.

* Limitations for access to personal data for national security purposes

The U.S. authorities set out the safeguards and limitation and oversight mechanism in place for any access to data by public authorities for national security purposes. The U.S. affirms that there is no indiscriminate, mass surveillance. For complaints on possible access by national intelligence authorities, a new Ombudsperson mechanism will be set up, independent from the intelligence services.

* All individual complaints will be handled and resolved

There will be a number of ways to address complaints, starting with dispute resolution by the Privacy Shield company and free of charge alternative dispute resolution solutions. Individuals can also go to the Data protection authorities who will work together with the U.S. Department of Commerce and Federal Trade Commission to ensure that complaints by individuals are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress in the area of national security for individuals will be handled by an Ombudsperson independent from the US intelligence services.

* Regular review of adequacy decisions

The EU and the US have now agreed to establish a new mechanism to monitor the functioning of the Privacy Shield through an annual joint review.

The Commission and the Department of Commerce will carry out this review, which will serve to substantiate the commitments made. The joint review would involve, as appropriate, representatives of the US intelligence community and will provide a dynamic and ongoing process to ensure that the Privacy Shield is functioning in accordance with the principles and commitments made.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: