Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
Proposed “Privacy Shield” is unveiled for EU-US transfers of personal data
On 29 February 2016, the European Commission published a draft legal text setting out the new “Privacy Shield” framework, which is intended to replace the invalidated Safe Harbor scheme.
The Commission has said that, once in force, Privacy Shield will ensure an adequate level of protection for personal data transferred from the European Economic Area (EEA – the 28 EU member states plus Iceland, Norway and Liechtenstein) to the US, in compliance with current EU data protection laws.
The published text is in the form of a draft “adequacy decision”, which will be subject to further scrutiny by certain EU institutions before it comes into force. For background on the invalidation of Safe Harbor, please see our update here.
The European Commission and its US counterparts have also agreed an ‘Umbrella Agreement’, which sets out data protection standards for transatlantic law enforcement cooperation. EU Commissioner Věra Jourová said that: “once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic”.
How will Privacy Shield protect personal data?
The Commission has announced that the Privacy Shield framework will address the inadequacies of the Safe Harbor scheme as identified both in the Schrems decision of the Court of Justice of the European Union (CJEU), which invalidated Safe Harbor last year, and the Commission’s own recommendations made in 2013.
This will be achieved through the following features, as summarised in the Commission’s factsheet:
- US companies: Participating US companies will need to self-certify their compliance every year with the seven Privacy Shield ‘Privacy Principles’, which contain robust obligations on the processing, security and onward transfer of personal data. Sanctions for non-compliance include removal from the Privacy Shield list of participating companies, with the reason for the removal being published, and/or civil remedies pursued by the US Federal Trade Commission (FTC) through the courts.
- Redress for data subjects: Individuals will have access to redress mechanisms for breach of the Privacy Principles, including the ability to complain to the relevant Privacy Shield-certified company (to which the company must respond within 45 days), access to free alternative dispute resolution and, as a last resort, access to arbitration proceedings via the ‘Privacy Shield Panel’. EEA data subjects will also be able to enforce their privacy rights in the US courts, following the passing of the US Judicial Redress Act.
- US government access: The US government has given written assurance that any access to personal data of EEA individuals by US government departments will be subject to clear limitations, safeguards and oversight mechanisms. Individuals will be able to complain to an independent US Privacy Shield Ombudsman in relation to US intelligence activities.
- Monitoring: The functioning of Privacy Shield will be monitored through an annual joint review mechanism, as conducted by the European Commission and the US Department of Commerce, EU national Data Protection Authorities and US national intelligence experts.
Next steps
Before it can come into effect, the draft Privacy Shield adequacy decision will need to be considered by the Article 29 Working Party (A29WP), the EU’s independent data protection advisory body, and a committee of representatives from each EU member state.
It is too early to say whether the proposed Privacy Shield, in its current form, will fulfil the aim providing adequate protection for personal data transferred to the US. The A29WP announced that it will analyse the proposed framework “with great attention”, and provide an opinion on the level of protection it affords, in the light of the Schrems decision and the four guarantees that it has determined for processing of personal data by intelligence agencies:
- data processing should be based on clear, precise and accessible rules;
- data collection and processing should be proportionate and necessary to legitimate objectives;
- an effective and independent oversight mechanism should exist; and
- effective remedies should be available to individuals whose personal data is processed unlawfully.
In the meantime, the A29WP and the Information Commissioner’s Office, the UK data protection regulator, have stated that businesses should use other tools to ensure compliance with EU data protection laws when transferring personal data to the US, including the use of “Model Clauses” and binding corporate rules.
Click here for the European Commission press release.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.