The European Commission adopts the legal framework for international data transfers between the US and the European Union.

Legal memo on the approval of the Privacy Agreement (Privacy Shield) for international transfers of personal data to entities in the United States.

Yesterday 12 July, the European Commission issued a press release communicating the approval of a new regulatory framework between Europe and the United States regarding the new data protection agreement “Privacy Shield”, which declares as appropriate international transfers made to entities in the United States within this legal framework.

Thus, US entities can be certified from next August 1, and may import personal data without the need for exporting European entities have to seek authorization from the various European Authorities on Data Protection.

The “Privacy Shield” agreement adopted today, comes from the need to provide legal certainty to those commercial relations between the European Union and the United States involving transfers of personal data, after canceling last October 6, 2015 Safe Harbor agreement.

This new regulatory framework, which began to take shape on February 2 2016, when the European Commission and the US government reached a political agreement to develop the exchange of personal data for commercial purposes, was materialized in a draft decision on 29 February on which, following the opinion of the Article 29 Working Party (which included strong critics regarding that these measures were not sufficient to ensure an adequate level of privacy) and resolution in May the European Parliament, reaches the text that has been approved today by the Commission.

Which are the implications of this “Privacy Shield”?

• Severe requirements for companies processing personal data: The US Commerce Department will have the power to conduct regular reviews and updates to the Privacy Shield member entities to ensure their compliance with the regulatory framework. A new feature includes that in case of subsequent transfers to third parties from a privacy shield attached entity, such parties should ensure the same level of protection.

• Greater transparency in the access to data by the US administration. The indiscriminate surveillance data carried by the American authorities will be subject to restrictions, safeguards and monitoring mechanisms. In addition, the North American Secretariat of State has introduced the possibility that European citizens can appeal the processing of data by the US authorities through a mediation system within the Department of State and independent of the US National Security Agency.

• Effective protection of individual rights of European citizens with various possibilities appealing against private entities, namely:

• Before the entity attached to Privacy Shield, to be resolved within a maximum period of 45 days.
• Through a court and free dispute resolution system.
• Before the National European data protection authorities, which will collaborate with the US Federal Trade Commission to ensure that the claims made by European citizens are investigated and resolved.
• Alternatively, if not resolved by the above mentioned mechanisms, foreseen an arbitration mechanism.

• Annual review of the functioning of the Privacy Shield by the European Commission and the United States Department of Commerce.