The new EU-US Privacy Shield Agreement (EU-US Agreement) looks to bring the level of protection afforded to EU citizens whose data is kept on US soil in line with that currently enforced in the EU. Once this Agreement comes into force, it will increase the obligations on businesses that store their data in the US. The EU-US Agreement seems to be entering its final stages following long negotiations and the rescindment of Safe Harbour.
The Article 29 Working Party has given an Opinion, stating that Privacy Shield is an improvement on Safe Harbour. Despite this, they still express concerns that the EU-US Agreement does not afford the protection it is intended to give.
The EU-US Agreement will add a responsibility for ‘onward transfers’ of data. A self-certified company will remain liable for the processing of personal data by vendors acting on its behalf; unless it can prove that it was not responsible for the actions that led to an individual complaint.
Mechanisms must be enacted for users to submit complaints and must respond to complaints by EU citizens within 45 days. Self-certified companies are also to designate an independent dispute resolution service. With this, EU citizens can forward unresolved disputes at no cost.
A choice must be given as to whether a user wants their data passed on to third parties and that they may have access to personal data in order to correct, change and delete inaccurate information, except where the burden and expense outweighs the risks to individual privacy.
On top of the provision of information on the data collection and use of the company, individuals must also be informed in clear and conspicuous language of the company’s practices when a lawful request is made by a public authority and the designated independent dispute resolution service available to them should a complaint be left unresolved.
In order to comply, many businesses will need to invest in robust policy development and execution, renegotiation of vendor agreements, independent dispute resolution providers and annual checks. Non-compliance can leave US businesses having their data streams cut.
Please contact us for further information.