I am pleased to be back with you to provide an update on the talks with the United States on a new framework for transatlantic data flows and to hear your views on this subject.
Tomorrow, the College will discuss the state of play of the negotiations with the U.S. and I would like to inform my colleagues of the positions you express tonight.
Let me recall that, immediately after Court ruling of the 6th of October in the Schrems case, the Commission set the objective of creating a strong robust new system, to overcome the weaknesses of the old Safe Harbour.
Our key aims remain
- to ensure that citizens fundamental right to protection of personal data is guaranteed when their data is transferred abroad;
- to allow transatlantic data flows – which are important to the economy – to continue with the necessary safeguards.
On the 6th of November last year, the Commission set the aim of putting in place a robust new framework within 3 months. And we made clear that the new framework has to fully respect the requirements of the Court ruling. We need an arrangement that is fundamentally different from the old Safe Harbour that has been annulled. And we will ensure continuous monitoring and review of the new arrangement. It cannot be a 'one-off' decision, like it was 16 years ago.
Over the past months we have intensively worked with the U.S. in order to obtain the needed commitments and clarifications to put in place a new arrangement that meets the legal requirements.
An adequacy decision is a unilateral decision. We need strong commitments from the US to achieve this.
We have underlined to our American partners that any new adequacy decision must be able to withstand a new legal challenge. This is important for the standard of fundamental rights protection, but also to ensure legal certainty for business.
Negotiations are still ongoing, including at the political level, There have been very intensive discussions at the weekend. The College will discuss the matter tomorrow, so I'm not yet in a position to enter into detail. But let me give you an overview of the key issues and the state of play.
My remarks will focus on four key issues of the judgement:
- the need for limitations and safeguards as regards access to data by public authorities;
- independent oversight and individual redress in the area of national security;
- resolution of individual complaints about how companies process personal data; and
- the need for binding commitments from the U.S. side.
Let me begin with the limitations and safeguards as regards access to data by public authorities.
As you know, the Schrems ruling has made clear that such access must be limited to what is strictly necessary.First of all, let me recall that the U.S. framework has evolved since the Snowden revelations. There have been important reforms under President Obama introducing stronger oversight and more transparency. In the context of our negotiations, we are obtaining specific written assurances from the U.S. that access by public authorities to personal data transferred from Europe will be limited to what is necessary and proportionate.These assurances must confirm that there is no indiscriminate mass surveillance and that safeguards for individuals also apply to non-U.S. persons.And let me be very clear, we will need to continue to monitor developments in this area also in the future.We need trust, but we have a duty to check. For this purpose, we will put in place an annual joint review, which will look at all aspects of the arrangement, including access to data by public authorities.
Turning to the second area: independent oversight and individual redress. The possibilities for judicial redress are limited when it comes to national intelligence.
However, we need to ensure a functionally independent body who will answer individual complaints from Europeans if they fear that their personal information has been used in an unlawful way by U.S. authorities in the area of national security. A body that has access to the information from the national security bodies. This could be done by an Ombudsperson with a real capacity to act, which would give a response to individual complaints
Let me now turn to resolution of complaints against companies in case of privacy violations.
We are working on an arrangement that ensures that any individual complaint is resolved, one way or the other:
- Ideally, and as shown by experience, the complaint will be resolved by the company itself.
- If not, the citizen can use alternative dispute resolution, which would now be free of charge.
- The citizen can also go to the Data Protection Authority, who can channel complaints to the U.S. Department of Commerce of Federal Trade Commission.
- However, there may be unresolved complaints on issues that may not be taken up by the Federal Trade Commission. (The FTC looks at strategic issues, rather than individual complaint-handling).
- Therefore, we are working on a "last resort" mechanism to ensure that all complaints are resolved through a binding an enforceable decision.
- This is essential for a new arrangement, given that the right to legal remedy is enshrined in our Charter of Fundamental Rights.
Let me also stress that European Data Protection Authorities must have an active role in the new arrangement. They are the guardian of individuals' right to protection of personal data under the Charter. The DPAs must have the possibility to refer complaints – whether it is on commercial aspects or on national security - and to uphold the rights of Europeans when their data is transferred to the EU.
Finally, we need commitments by the U.S. that are formal and binding. As this will not be an international agreement, but an exchange of letters, we need signatures at highest political level and publication of the commitments in the Federal Register.
To sum up, we have worked hard to obtain commitments from the U.S. to ensure that any new arrangement meets the requirements of the Court ruling.
We are aiming for a robust new system that, unlike Safe Harbour:
- ensures that any individual complaint is resolved,
- includes guarantees that access by public authorities is limited to what is proportionate or necessary,
- will be closely monitored and reviewed on a regular basis with the involvement of national security bodies and DPAs.
I will not hide that these talks have not been easy. It is not an easy task to build a strong bridge between two legal systems which have some major differences.
But I believe that the close partnership between Europe and the United States deserves these special efforts. On their side and on ours.
I will speak to Commerce Secretary Penny Pritzker later this evening to discuss the remaining open issues.
We are close, but an additional effort is needed.
I count on your support for the conclusion of the talks with the U.S. as soon as possible.
And I can assure you that the Commission will fully debrief you on the next steps.