The European Commission has, after considering opinions from the Article 29 Working Party (the group made up of Europe's data protection regulators), the European Data Protection Supervisor, and the resolution of the European Parliament, made a number of additional clarification and improvements to the draft "Privacy-Shield" it presented in February 2016, and on 12 July 2016 launched the EU-U.S. Privacy Shield.
The Article 29 Working Party still has some reservations about Privacy-Shield, including the lack of: clarity around data processor obligations; and formal protection around mass surveillance by US security services. However, the group of regulators has praised other improvements made by the Commission and it will reserve judgment on any concerns until the first annual review in 2017, thus giving the green light to "Privacy-Shield" for at least 12 months (there are some concerns that Privacy-Shield may, like its predecessor, be referred to the CJEU but this is unlikely to be before the first annual review).
Back to Business
The Privacy Shield will provide companies with a framework for certifying transatlantic data transfers, restoring a mechanism to adequately transfer data to U.S. Companies that are signed up to the Privacy-Shield.
Safe Harbor 2.0
The Privacy Shield has been developed as a consequence of political and economic pressures created by the lack of a framework protecting the flow of personal data between the U.S. and Europe.
The "Privacy-Shield" will protect the fundamental rights of European citizens whose personal data is transferred to the U.S. and bring some more legal certainty for businesses relying on transatlantic data transfers.
Privacy Shield vs Safe Harbor
"Certified" companies must comply with the Privacy Shield principles, following the certification process (set out below).
The Privacy Shield core principles are largely based on the previous Safe Harbor principles, however there are some significant changes:
- Supervision. The US Department of Commerce ("DOC") will monitor and supervise certified companies and implement sanctions including the potential removal of non-compliant companies from the certified list.
- Accountability for onward transfers. Certified companies must ensure that onward transfers of personal data to third parties are covered by the same level of protection that the certified company is providing.
- Data retention. Certified companies will be entitled to keep personal data only for so long as the retention is required to assists the purpose for which it was collected.
- US government surveillance. The US government has provided a number of assurances and commitments to not conduct indiscriminate mass surveillance on European personal data. The Office of the Director of National Intelligence has clarified that bulk collection of data can only be used in a focused manner, and must be filtered to remove non-pertinent information. On 24 February, 2016 President Obama signed the Judicial Redress Act (H.R.1428) into law. The Judicial Redress Act provides European citizens with the right to challenge misuse of their personal data in US courts. This is one of the key areas of concern which the Article 29 Working Party intends to revisit after the first annual joint review.
- Annual joint review. The European Commission and the DOC will work together to conduct annual reviews of the operation of the Privacy Shield to promote transparency and address concerns during the previous 12 months.
- Redress mechanisms. The Privacy Shield allows European citizens multiple redress mechanisms to contest any misuse of their personal data, including
- Mandated response times for certified companies. Participant companies must respond to a complaint within 45 days.
- EU DPA. European data protection authorities may feed complaints to the DOC or Federal Trade Commission ("FTC"), providing another avenue.
- Privacy Shield Panel (Arbitration). This will comprise of a flexible and accessible panel (offering video conferencing participation, translation and interpretation), that will have the power to issue binding decisions on certified companies.
- Ombudsman (National Security). An independent US watchdog will be available to determine if the Privacy Shield has been breached in relation to surveillance issues.
The certification process for U.S. companies is entirely voluntary. Self-certification becomes available from today (1 August 2016).
Companies will be able to self-certify on an annual basis that they meet the Privacy Shield requirements by taking the following steps:
1. Confirm their eligibility to participate in the Privacy Shield. Any US company that is subject to the FTC or the Department of Transportation may participate.
3. Identify the company's independent recourse mechanism. Self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual.
4. Ensure that the company has a compliance verifying mechanism.
5. Designate a contact within the company regarding Privacy Shield.