The European Commission has adopted the EU-U.S. Privacy Shield, a new framework that protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States. The measure also aims to bring legal clarity for businesses relying on transatlantic data transfers.

Under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.

“The new EU-U.S. Privacy Shield will protect the personal data of our people and provide clarity for businesses,” said Andrus Ansip, commission vice president for the Digital Single Market. “We have worked hard with all our partners in Europe and in the U.S. to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy. We now have a robust framework ensuring these transfers take place in the best and safest conditions.”

“The EU-U.S. Privacy Shield brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints,” added Věra Jourová, commissioner for justice, consumers, and gender equality. “The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the member states and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data”.

The U.S. government has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Under the scheme, everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the U.S. under the shield arrangement.

The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an ombudsperson mechanism within the Department of State.

Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. European national data protection authorities will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved.

The decision to adopt the Privacy Shield entered into force immediately, and, on the U.S. side, one it is published in the Federal Register. Companies will be able to certify with the Commerce Department starting August 1.