In a ruling from October 2015 (Safe Harbour ruling (C 362/14)), the Safe Harbour scheme concerning transfer of personal data from the EU to the USA was overruled by the European Court of Justice. On 2 February 2016, the Commission announced together with the USA the plans of a new scheme – called Privacy Shield – replacing the Safe Harbour scheme.
On 29 February 2016, the Commission introduced a new legislative package concerning Privacy Shield.
It is the intention that protection of personal data when processed by US companies or authorities under the Privacy Shield scheme must be at the same level as the data protection applying within the EU. This is ensured by way of:
- Strict obligations for companies and consistent enforcement.
- Clear requirements for protection and transparency concerning the US government's access to the data. It appears that the USA has given the EU a written guarantee that the access to data that the US authorities have in consideration of national security will be subject to clear restrictions, protective measures and supervision with the result that general access to the information is prevented. It further appears that the Secretary of State, John Kerry, has guaranteed that a complaint procedure will be implemented for EU citizens by way of an ombudsman in the State Department. The ombudsman will be independent of state security services.
- Effective protection of EU citizens' rights by way of various opportunities to complain. Companies must process complaints within 45 days. Free alternative dispute resolution. EU citizens can also address the national data protection agencies, which are responsible for investigating and clarifying complaints together with the Federal Trade Commission.
- Annual joint evaluation mechanism. The Privacy Shield is going to be supervised, including the commitments and guarantees in relation to the US authorities' access to data in consideration of law enforcement and national security. Based on the annual evaluation, the Commission will present a public report to the Parliament and the Council.
The next step in the implementation of the Privacy Shield scheme will be that a committee consisting of representatives of the EU member states and the European data protection agencies (under the auspices of the so-called Article 29 group) will provide a statement, before the Commission once again has to decide on the Privacy Shield scheme. Ultimately, the scheme must be presented to the Council for adoption after the Parliament's approval.