EU-USA: Restoring "trust" in transatlantic data flows
01 March 2016
EU-US: Restoring trust in transatlantic data flows through strong safeguards: European Commission presents EU-U.S. Privacy Shield
(press release, pdf): "The European Commission today issued the legal texts that will put in place the EU-U.S. Privacy Shield and a Communication summarising the actions taken over the last years to restore trust in transatlantic data flows since the 2013 surveillance revelations. In line with President Juncker's political guidelines, the Commission has (i) finalised the reform of EU Data protection rules, which apply to all companies providing services on the EU market, (ii) negotiated the EU-U.S. Umbrella Agreement ensuring high data protection standards for data transfers across the Atlantic for law enforcement purposes, and (iii) achieved a renewed sound framework for commercial data exchange: the EU-U.S. Privacy Shield."
Commission Communication: Transatlantic Data Flows: Restoring Trust through Strong Safeguards
(COM(2016) 117 final, pdf) and: EU-U.S. Privacy Shield: Frequently Asked Questions
Draft adequacy decision: Commission Implementing Decision of XXX pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (pdf)
Annex 1: Letters from officials in the US Department of Commerce to Commissioner Jourová (10 pages, pdf): provides an overview of how the "Privacy Shield" will "strengthen the protection of privacy" and how the Department of Commerce will administer and supervise the system;
Annex 2: EU-U.S. Privacy Shield framework principles issued by the Department of Commerce (34 pages, pdf)
Annex 3: Letter from the US Secretary of State to Commissioner Jourová (nine pages, pdf): the annex contains the "EU-U.S. Privacy Shield Ombudsperson mechanism regarding signals intelligence", described as "a new mechanism that the Senior Coordinator will follow to facilitate the processing of requests to national security access to data transmitted from the EU to the United States pursuant to the Privacy Shield, standard contractual clauses (SCCs), binding corporate rules (BCRs), "Derogations," or "Possible Future Derogations," through established avenues under applicable United States laws and policy, and the response to those requests."
Annex 4: Letter from the Chairwoman of the Federal Trade Commission (FTC), to Commissioner Jourová (nine pages, pdf): the letter sets out how the FTC intends to enforce the "Privacy Shield": "Below, we explain the FTC's history of strong privacy enforcement generally, including our enforcement of the original Safe Harbor program, as well as the FTC's approach to enforcement of the new Framework."
Annex 5: Letter from the US Secretary of Transportation to Commissioner Jourová (four pages, pdf): describes the US Department of Transportation's role in "enforcing the EU-U.S. Privacy Shield Framework... the DOT renews its commitment in the following areas: (1) prioritization of investigation of alleged Privacy Shield violations; (2) appropriate enforcement action against entities making false or deceptive Privacy Shield certification claims; and (3) monitoring and making public enforcement orders concerning Privacy Shield violations."
Annex 6: Letter from the Office of the Director of National Intelligence to the US Department of Commerce and the US International Trade Administration (18 pages, pdf): "Over the last two and a half years, in the context of negotiations for the EU-U.S. Privacy Shield, the United States has provided substantial information about the operation of U.S. Intelligence Community signals intelligence collection activity. This has included information about the governing legal framework, the multi-layered oversight of those activities, the extensive transparency about those activities, and the overall protections for privacy and civil liberties, in order to assist the European Commission in making a determination about the adequacy of those protections as they relate to the national security exception to the Privacy Shield principles. This document summarizes the information that has been provided."
Annex 7: Letter from the US Department of Justice to the US Department of Commerce and the US International Trade Administration (five pages, pdf): "This letter provides a brief overview of the primary investigative tools used to obtain commercial data and other record information from corporations in the United States for criminal law enforcement or public interest (civil and regulatory) purposes, including the access limitations set forth in those authorities."
And: European data protection authorities to examine proposed deal: Statement of the Article 29 Working Party on the presentation by the European Commission of the EU-U.S. Privacy Shield (pdf):
"the Working Party will now assess these documents in order to give its opinion on the level of protection afforded by the EU-U.S. Privacy Shield. To this end, the relevant subgroups of the Working Party will be mobilized and will analyze the safeguards provided for in the arrangement on both the commercial aspects and the limitations for national security, public interests and law enforcement purposes."