Meet the new Safe Harbor: EU-US Privacy Shield

As many of you are now aware, in October 2015 the US-EU Safe Harbor Framework was declared invalid by the Court of Justice of the European Union (CJEU) in its Schrems decision on October 6th 2015.  

Earlier this year, the US and the EU agreed on a new framework for transatlantic data flows which will replace the U.S-EU Safe Harbor Framework. The new transatlantic agreement is called the EU-USPrivacy Shield and will serve as a new legal mechanism for transatlantic data flows. The general idea is to ensure, both in theory and in practice, a sufficient level of data protection.

According to the Commission, the Privacy Shield reflects the requirements set out in the Schrems decision, and “requires the U.S to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities.”

What does this mean in practice?

When American companies engage in trade and commerce with the European Union, personal information of EU citizens (such as names, emails, addresses…) is likely to be transferred to the U.S. According to the European Commission, the new EU-US Privacy Shield (which will replace the now defunct Safe Harbor) will allow and ensure the following:

For American companies,

• Self-certify annually that they meet the requirements;

• Display privacy policy on their website;

• Reply promptly to any complaints (If handling human resources data);

• Cooperate and comply with European Data Protection Authorities.

For European individuals,

• More transparency about transfers of personal data to the U.S. and stronger protection of personal data;

• Easier and cheaper redress possibilities in case of complaints - directly or with the help of their local Data Protection Authority.

Who is doing what?

On the European side, Vice-President Ansip and Commissioner Jourová have prepared a draft “adequacy decision” which will then be adopted by College after obtaining the advice of the Article 29 Working Party (i.e. the 28 national data protection authorities) and after consulting a committee composed of representatives of the Member States.

If you wanted to, you can read the current draft “adequacy decision” - http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision_en.pdf

The internal adoption period of the adequacy decision in the EU is currently expected to conclude in June 2016.

On the other side of the Atlantic, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.

Update: At press conference on 13th April, the Art. 29 Working Party stated it could not support the Commission’s draft adequacy decision in its present form.  Although they noted that the EU-US Privacy Shield is a step in the right direction and contains “important improvements” over Safe Harbor, it couldn’t however agree that is guaranteed adequate protection. They will wait on some clarification from the European Commission on certain aspects.

What does this mean for our customers?

NationBuilder, like most tech companies is now standing by to wait for the text to be adopted by all necessary parties.

In the meantime, we have Data Processing Agreements in place for our European customers to sign. Please email [email protected] for questions or to receive the agreement to sign.

We are also continuing to evaluate long term solutions, such as placing servers in Europe and continuing to grow our European team and presence.

This means our EU customers can continue to use NationBuilder. And we are as committed as ever to continued service for our EU customers.

Stay up-to-date

For all Safe harbor updates and to keep up with progress - http://nationbuilder.com/safe_harbor

For frequently asked questions you can visit the European Commission's website - http://europa.eu/rapid/press-release_MEMO-16-434_en.htm

Update (4th June 2016): On 30th May, the European Data Protection Supervisor (EDPS), an independent institution of the EU, adopted its opinion on the EU-US Privacy Shield. 

According to the EDPS, the draft decision does indeed show numerous improvements compared to the now invalid Safe Harbour Decision, in particular with respect to the principles for processing of data for commercial purposes.  That being said, the EDPS flagged a number of key points it still had concerns with and proposed a number of recommendation.

According to Euractiv, Justice Commissioner Vera Jourova told MEPs last week "that she wants the deal to be approved by summer, but the executive is still finalising details with US officials. A group of diplomats from EU member states have to give their approval before the agreement can go into effect. So far the group has meetings scheduled through until the end of June."