A peine adopté, l’accord Privacy Shield sur les données personnelles est déjà menacé

LE MONDE | |Par Martin Untersinger

http://www.lemonde.fr/pixels/article/2016/07/13/a-peine-adopte-l-accord-privacy-shield-sur-les-donnees-personnelles-est-deja-menace_4969020_4408996.html

L’avenir de l’accord « Privacy Shield » entre l’Union européenne et les Etats-Unis, obtenu après de longs mois de difficiles négociations sous l’égide de la Commission, est déjà menacé.

Cet accord établit un cadre légal pour les entreprises qui souhaitenttransférer des données personnelles d’Européens aux États-Unis : c’est le cas de nombreuses sociétés qui proposent des services européens mais sont basées outre-Atlantique. Le Privacy Shield, définitivement adopté par l’UE le 12 juillet, remplace le Safe Harbour, un accord du même type qui avait été invalidé en 2015 par la justice européenne.

Pour que l’accord soit conforme au droit européen, les États-Unis doiventoffrir aux données européennes sur leur territoire une protection« essentiellement équivalente » à celle que proposent les textes sur le Vieux Continent. L’ampleur de la surveillance menée sur Internet par les États-Unis, et l’absence de garde-fous pour les internautes européens avait lourdement pesé dans l’annulation du Safe Harbour.

Or rien n’indique à ce stade que les pratiques des services de renseignement américain aient significativement changé. Ainsi, l’accord prévoit que les États-Unis puissent surveiller les données des Européens dans les affaires de « sécurité nationale » ou lorsque « l’intérêt public » est en cause. Des notions floues qui laissent une bonne marge de manœuvre aux autorités américaines. Par ailleurs, la collecte de grandes quantités de données européennes est toujours envisagée… si un ciblage individuel n’est pas possible.

LIRE AUSSI :   Données personnelles : Bruxelles lance un nouveau cadre juridique pour les transferts vers les Etats-Unis

Une nouvelle invalidation ?

Même si la Commission insiste sur le fait que cet accord est« fondamentalement différent » du précédent qui a été annulé, cette permanence de la surveillance américaine pourrait être utilisée devant la justice pour obtenir, à nouveau, une annulation. C’est ce qu’a affirmé à plusieurs reprises Max Schrems, le juriste autrichien dont l’action en justice a conduit à l’annulation du Safe Harbour.

Continuer la lecture de A peine adopté, l’accord Privacy Shield sur les données personnelles est déjà menacé

European Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows

Source : http://europa.eu/rapid/press-release_IP-16-2461_en.htm 

European Commission – Press release

Logo_CE_jpg

European Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows

Brussels, 12 July 2016

Today the European Commission adopted the EU-U.S. Privacy Shield.

This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

Andrus Ansip, Commission Vice-President for the Digital Single Market, said: « We have approved the new EU-U.S. Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions ».

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: « The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data« .

The EU-U.S. Privacy Shield is based on the following principles:

  • Strong obligations on companies handling data: under the new arrangement, the U.S. Department of Commerce will conductregular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement. The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through anOmbudsperson mechanism within the Department of State.
  • Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to theirnational Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be anarbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudspersonindependent from the US intelligence services.
  • Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. The Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.

Since presenting the draft Privacy Shield in February, the Commission has drawn on the opinions of the European data protection authorities (Art. 29 working party) and the European Data Protection Supervisor, and the resolution of the European Parliament to include a number of additional clarifications and improvements. The European Commission and the U.S. notably agreed on additional clarifications on bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies as regards limits on retention and onward transfers.

Next steps: The « adequacy decision » will be notified today to the Member States and thereby enter into force immediately. On the U.S. side, the Privacy Shield framework will be published in the Federal Register, the equivalent to our Official Journal. The U.S. Department of Commerce will start operating the Privacy Shield. Once companies have had an opportunity to review the framework and update their compliance, companies will be able to certify with the Commerce Department starting August 1. In parallel, the Commission will publish a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.

Background

On 2 February 2016 the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic exchanges of personal data for commercial purposes: the EU-U.S. Privacy Shield (IP/16/216). The Commission presented the draft decision texts on 29 February 2016. Following the opinion of the article 29 working party (data protection authorities) of 13 April and the European Parliament resolution of 26 May, the Commission finalised the adoption procedure on 12 July 2016.

The EU-U.S. Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.

For more information

Adequacy decision

Annexes

Q&A

Factsheet

Communication: Transatlantic Data Flows: Restoring Trust through Strong Safeguards