A&L Goodbody LLP July 12, 2016 - Ireland European Commission Adopts Privacy Shield by Davinia Brennan The European Commission has today adopted the Privacy Shield. The Privacy Shield is intended to provide a framework for EU-US data transfers. What is the Privacy Shield? European data protection law restricts the transfer of personal data outside the European Economic Area (EEA) unless the country to which the data is transferred ensures an adequate level of data protection. The Privacy Shield is a mechanism for overcoming this restriction and legitimising the transfer of personal data to some US companies. Why do we need the Privacy Shield? Until 6 October 2015, over 4,000 US companies relied on the Safe Harbour regime to legitimise the transfer of personal data to the US. The Safe Harbour regime was declared invalid by the Court of Justice of the EU (CJEU) on 6 October 2015. The Privacy Shield will replace the Safe Harbour regime. After the CJEU's ruling many US companies turned to the Model Contractual Clauses to legitimise their transatlantic data transfers. The approval of the Privacy Shield will be welcomed by multinational companies, particularly as the Irish Data Protection Commissioner recently sought a referral to the CJEU to determine the legal status of data transfers under Model Contractual Clauses. However, Model Contractual Clauses remain a valid method of transatlantic transfer unless declared invalid by the CJEU, which may not be determined for up to another two years. Announcing the adoption of the Privacy Shield today, the European Commission stated that: "The new arrangement will impose stronger obligations on companies in the U.S. to protect the personal data of individuals and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including an increased cooperation with the European Data Protection Authorities. The new arrangement includes written commitments and assurance by the U.S that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access. The newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals in this context". How does the Privacy Shield seek to address the requirements set out by the CJEU last October 2015? A Fact Sheet and Q&A published today by the European Commission state that the Privacy Shield will bring: How will the Privacy Shield work in practice? US companies will register to be on the Privacy Shield list and self-certify that they meet the high data protection standards set out by the arrangement. They will be required to renew their registration annually. While a company's decision to self-certify will be voluntary, once a company publicly commits to the Privacy Shield, its commitment is enforceable under US law by either the Federal Trade Commission or Department of Transportation. The US Department of Commerce will monitor and actively verify that US companies' privacy policies are in line with the relevant Privacy Policy principles and readily available to the public. The US will maintain a list of Privacy Shield members, removing companies that leave the arrangement. What redress options does the Privacy Shield provide for EU citizens in the US if their data is misused by Privacy Shield certified companies? Any individual who considers that his/her data has been misused has several redress possibilities, including: Can the Privacy Shield be challenged? It remains to be seen whether privacy activists or European Data Protection Authorities will challenge the Privacy Shield, which can only be invalidated by the CJEU. Although the Privacy Shield was approved by representatives of most EU Member States last Friday, it is notable that some countries reportedly abstained from voting, including Austria, Bulgaria, Croatia and Slovenia. In addition, whilst Tech companies have welcomed the Privacy Shield, privacy activists have criticised it for not going far enough to protect the privacy of European citizens when their data is transferred to the US. Next Steps The European Commission's "adequacy decision" on EU–US transfers under the Privacy Shield will be notified to Member States today and enter into force immediately. The Privacy Shield agreement will be published in the Federal Register, and the US Department of Commerce will start operating the Privacy Shield. Companies will be able to certify with the Commerce Department starting 1 August 2016. The European Commission has indicated that it will publish a short guide for citizens explaining the available remedies in case an individual considers that his/her personal data has been used without taking into account the data protection rules.
|