March 1, 2016
25th February 2016 – Una Dillon, Managing Director MRC EU
The European Commission and the US agreed on a new framework (EU-US Privacy Shield) for the transatlantic flow of data on the 2nd February 2016. So, what brought us to this point and what does it really mean for EU merchants?
The so-called “Safe Harbor” agreement was made by the European Commission in 2000 and allowed around 4,500 US companies to transfer data from the EU under specific data protection standards.
In 2013, a claim against Facebook was brought to the Irish Data Protection Commissioner (IDPC) by Austrian law student Max Schrems. He suggested, on the back of claims made by Edward Snowden regarding alleged access to certain private data by US intelligence authorities, that Facebook (Ireland Limited) was transferring personal data to the US under circumstances where the laws and practices in the US presented no real protection against the sharing of that data.
The IDPC decided it was a matter for the European Commission. The case was finally put to the European Court of Justice (ECJ). In October 2015, the ECJ found that "the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities." In other words, the decisions made by (EU) national supervisory authorities on the adequacy of data protection measures by a third country to which their citizens’ data is transferred, override European Commission decisions made under the Safe Harbor agreement.
Once the ruling was made by the ECJ, the European Commission and US authorities set about to produce a relevant and working replacement for Safe Harbor.
EU Commissioner for Justice, Consumers and Gender Equality, V?ra Jourová, gave a speech in Strasburg on February 2nd, where she announced the Commission had finalised negotiations with the US on a renewed and safe framework for transatlantic data flows.
Jourová promised a conclusion of “a strong and safe framework for the future of transatlantic data flows” with an arrangement that protects the fundamental rights of Europeans and ensures legal certainty. In her speech, Jourová outlined the key achievements of the negotiation:
1. Clear safeguards and transparency obligations on US government access to data. The Commission and the US Department of Commerce agreed to carry out an annual joint review to ensure the commitments are made and upheld.
2. Effective protection of European’s right - any citizen who considers their data has been misused under the Safe Harbour scheme will benefit from several accessible and affordable dispute resolution mechanisms.
Individuals can go to EU Data Protection Authorities, who will work together with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. These cases should be resolved in a reasonable timeframe: if DPA refers a case to the US, the Department of Commerce will have a deadline to respond.
*References: European Commission, European Court of Justice
Úna Dillon is the Managing Director of MRC Europe, responsible for providing overall leadership of the MRC’s European operations including business development, programme and educational development, member recruitment and strategic management. She has over 19 years’ experience in financial services, payment card scheme management and strategy, European policy and membership associations. Her experience includes Head of Card Services at The Irish Payment Services Organisation (IPSO), General Manager of Laser Card Services (the Irish national debit card scheme), Board Director of the European ATM Security Team (EAST) and participant in numerous EPC (European Payments Council and EC (European Commission) working groups on payments and on financial fraud prevention matters.
SPECIAL FEATURERead Digital Transactions Online