EU Privacy Laws: EU Commission and USA agree on new framework for transatlantic data flows: EU-US Privacy Shield

EU-US Agreement - Transatlantic Data flows

The College of EU Commissioners recently  approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.

The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.

The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

Vice-President Ansip said: "We have agreed on a new strong framework on data flows with the US. Our people can be sure that their personal data is fully protected. Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic. We have a duty to check and we will closely monitor the new arrangement to make sure it keeps delivering. Today's decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US. We will work now to put it in place as soon as possible."

Commissioner Jourová said: "The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments."

The new arrangement will include the following elements:

• Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.

• Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.

• Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

Next steps
The College has today mandated Vice-President Ansip and Commissioner Jourová to prepare a draft "adequacy decision" in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.

Background
On 6 October, the Court of Justice declared in the Schrems case that Commission’s Decision on the Safe Harbour arrangement was invalid. The judgment confirmed the Commission's approach since November 2013 to review the Safe Harbour arrangement, to ensure in practice a sufficient level of data protection as required by EU law.

On 15 October, Vice-President Ansip, Commissioners Oettinger and Jourová met business and industry representatives who asked for a clear and uniform interpretation of the ruling, as well as more clarity on the instruments they could use to transfer data.

On 16 October, the 28 national data protection authorities (Article 29 Working Party) issued a statement on the consequences of the judgment.

On 6 November, the Commission issued guidance for companies on the possibilities of transatlantic data transfers following the ruling until a new framework is put in place.

On 2 December, the College of Commissioners discussed the progress of the negotiations. Commissioner Jourová received a mandate to pursue the negotiations on a renewed and safe framework with the US.

Almere-Digest

NSA created 'European bazaar' to spy on EU citizens, Snowden tells European Parliament - by Loek Essers

"Don't worry EU, we are your friend"

The U.S. National Security Agency (NSA) has turned the European Union into a tapping “bazaar” in order to spy on as many EU citizens as possible, NSA leaker Edward Snowden said.

The NSA has been working with national security agencies in EU member states to get access to as much data of EU citizens as possible, Snowden said in a testimony sent to Members of the European Parliament (MEPs) published Friday March 7.

The European Parliament had invited Snowden to provide testimony for an inquiry into the electronic mass surveillance of EU citizens. That surveillance, often instigated by the NSA but carried out with help of EU member states, is quite extensive, he wrote.

The NSA has been pressuring EU member states to change their laws to enable mass surveillance, according to Snowden. This is done through NSA’s Foreign Affairs Division (FAD), he said, adding that lawyers from the NSA and GCHQ work very hard “to search for loopholes in laws and constitutional protections that they can use to justify indiscriminate, dragnet surveillance operations that were at best unwittingly authorized by lawmakers,” he said.

The deals between the NSA and foreign partners are set up in such a way as to provide the NSA with a means of monitoring a partner’s citizens without informing the partner, and to provide the partner with a means of plausible deniability, he said.

“The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn’t search it for Danes, and Germany may give the NSA access to another on the condition that it doesn't search for Germans. Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements,” Snowden said.

Snowden, who said that he’s still seeking asylum in the EU, also provided solutions to solve the mass surveillance problem.

It is easy to make mass surveillance more expensive through changes in technical standards, he said. “Pervasive, end-to-end encryption can quickly make indiscriminate surveillance impossible on a cost effective basis,” he said, adding that the result is that governments are likely to fall back to traditional, targeted surveillance founded upon an individualized suspicion.

The European Parliament is set to vote on a draft resolution on Wednesday March 12 that seeks to keep data protection out of EU-U.S. trade talks. The MEPs want the EU to suspend two deals with the U.S., one on exchanging banking data and the other on the Safe Harbor privacy principles for U.S. firms holding European data, as, they say, the fight against terrorism can never justify secret and illegal mass surveillance.

The MEPs will also vote on a proposal for stronger safeguards for data transfers to non-EU countries.

Wednesday’s vote could result in the updating of 19-year-old data-protection laws. Under MEPs’ amendments, companies breaking the rules would face fines of up to €100 million (about $139 million), or up to 5 percent of their annual worldwide turnover, whichever is greater, according to the Parliament

Read more: NSA created 'European bazaar' to spy on EU citizens, Snowden tells European Parliament | PCWorld