Does Privacy Shield Safeguard an Adequate Level of Data Protection?
The Privacy Shield became necessary since the CJEU in its decision of October 6, 2015, annulled the old European Commission Adequacy-Decision on Safe Harbor (we reported in Updates Data Protection no. 1, 2 and 5). The Privacy Shield is supposed to address the CJEU’s concerns about Safe Harbor and provide for a new legally reliable basis for transfer of personal data across the Atlantic.
The Privacy Shield first of all provides for new so-called Privacy Principles. Companies in the USA need to submit to the Privacy Principles while registering on a list of self-certified companies as they had to before under Safe Harbor. The Privacy Principles mirror European Data Protection Principles such as the requirement to notify the user of the use of its personal data (“Notice Principle”), to give data subjects certain options to object (“Choice Principle”), to implement reasonable and proportionate security measures (“Security Principle”) – this includes the obligation to enter into written contracts with sub-contractors –, purpose limitation (“Data Integrity and Purpose Limitation Principle”), information rights (“Access Principle”), limits concerning the onward transfer of personal data (“Accountability for Onward Transfer Principle”) and legal redress (“Recurs, Enforcement and Liability Principle”).
The respective obligations as well as the requirement to notify the data subjects about participation in Privacy Shield exceed the earlier provisions of the Safe Harbor Agreement. On the one hand it is to be expected that data subjects’ rights are better taken into account. On the other hand the new Privacy Principles seem to create stricter requirements for US companies which makes it doubtful whether they will actually self-certify for Privacy Shield.
In order to enforce the new obligations the Adequacy-Decision lists several legal remedies, inter alia an independent arbitrational body. Further, the National Data Protection Authorities in the European Union shall have the opportunity to suspend data transfers based on Privacy Shield, should they learn from data subject complaints that the Privacy Principles might not be complied with. In particular the German Data Protection Authorities can be expected to make use of this opportunity as they view any transfer of personal data into the USA very critical.
Additionally, the European Commission extensively addressed legal remedies of data subjects against access to personal data by US security agencies in the draft Adequacy-Decision. This was one of the main concerns the CJEU had in the Schrems-Decision. However, it is questionable whether the European Commission’s explanation meets the CJEU’s concerns. While there is supposed to be a so-called Ombudsman that takes complaints of European data subjects it seems doubtful that Privacy Shield actually restricts access rights by US security agencies and improves legal redress. Therefore, it remains to be seen whether the CJEU requirements are actually met.
The European Commission now conducts a consultation concerning the draft Adequacy-Decision to render the actual decision in the near time.
Companies should wait for the results out of
the consultation. Should the Adequacy-Decision not change, it cannot be
excluded that the CJEU will be sitting about this topic again in the near
future and uphold its concerns. Therefore, companies should continue to plan
with alternative methods such as the EU standard Contractual Clause for their
transfers into the USA. Alternatively, they should still consider processing
personal data in Europe. In the event, the Adequacy-Decision is handed down,
there still remains the risk that German Data Protection Authorities will use
its suspension right upon a data subject’s complaints. This would mean that
even transfers based on Privacy Shield could be held unlawful from a case-to-case
basis. Therefore, the Privacy Shield’s reliability for data transfers into the
USA must be questioned.