New EU-U.S. privacy shield in force

By Maria Sturm

On 12 July 2016, the European Commission issued its implementing decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (Decision 2016/1250).  This action became necessary after the ECJ declared the Safe Harbor policy of the EU commission concerning the USA invalid in the Schrems case.


Maximilian Schrems v Data Protection Commission (C – 362/14)

In this case, the ECJ held that the “Commission Decision (…) of 26 July 2000 pursuant to Directive 95/46/EC  on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce” (Decision 2000/520) is invalid.

Art. 25 (1) of the Directive prohibits transfers of personal data to third countries that do not ensure an adequate level of protection for that data. The EU Commission declared in its Decision 2000/520, binding on the EU Member States according to Art. 288 (4) TFEU, that U.S. companies ensure such an adequate level if they comply with the principles set out in the decision.

However, the ECJ found, that no adequate level of protection was given, due to several reasons: first, U.S. public authorities were not required to comply with the principles. Second, only the adequacy of the level of protection was dealt with in Decision 2000/520, but not the measures by which the United States ensures an adequate level of protection.. Third, according to Decision 2000/520 there were to many exceptions since “national security, public interest and law enforcement requirements” had supremacy over the safe harbor principles. Fourth, the derogation rules were too general, as neither the sensitivity of the information nor the consequences for the persons affected were taken into account. Fifth, in the U.S., there were no rules limiting interference with the fundamental rights of the persons whose data is transferred from the EU. Finally, the efficacy of the legal protections were questioned, as the only enforcement measures which were possible were those before the FTC—which are limited to commercial disputes.


The new privacy shield

In response to this criticism, the new decision contains the following alterations:

First, more effective supervision mechanisms have been introduced to ensure that companies follow the rules. In particular, the Department of Commerce has been given stronger oversight authority and is tasked with regularly reviewing the participating companies. Second, U.S. authorities will have more limited access to personal data. There will no longer be indiscriminate mass surveillance, and persons affected by data access through U.S. authorities can now bring complaints to an independent Ombudsperson within the Department of State. Third, there are now several different redress possibilities for individuals: individuals can complain directly to the company, which is obliged to reply within 45 days; individuals can participate in alternative dispute resolution (ADR), free of charge for the individual; or individuals can lodge complains with the data protection authority in his/her home country that works together with the U.S. Department of Commerce and the Federal Trade Commission (FTC). Individuals can also contact the U.S. Department of Commerce or the FTC directly, and, as last resort, a new privacy shield panel has been created which will ensure that there are enforceable decisions. Finally, the adequacy of these provisions will be reviewed on a regular basis to make sure that data are protected even under changing circumstances.

The EU Commission and the U.S. government showed sincere interest in fulfilling the ECJ’s requirements, but only a new challenge to this privacy protection shield will show if Privacy Shield is sufficient under EU law. It will be interesting to watch to see which measures the Commission will take after its annual decision review in 2017.