The Privacy Shield is the culmination of intense negotiations between the European Commission and the U.S. Department of Commerce. The two needed to agree on a framework which ensures the protection of personal data used for commercial purposes for transatlantic transfers.
The Privacy Shield replaces ‘Safe Harbour’, which was rescinded by the European Court of Justice (ECJ) in October 2015.
The old ‘Safe Harbour’ was declared invalid following a legal challenge by Maximillian Schrems; an Austrian privacy activist, (see Maximillian Schrems v Data Protection Commissioner) for its failure to adequately protect the fundamental rights and freedoms of EU individuals with respect to processing their personal data transferred from an EU member state to the United States.
The challenge followed the Snowden revelations, where it was found that the Safe Harbour did not prevent U.S. Intelligence Agencies from gaining access to personal data on a large scale.
Thus, the departure of Safe Harbour meant that a new framework regulating transatlantic transfers was required to fill the void.
The U.S. has assured that there will be clear safeguards and greater transparency with respect to how data is used. Any access by public authorities for national security and law enforcement purposes will be subject to clear limitations, safeguards and oversight mechanisms.
Under the new framework the U.S. will not be permitted to indiscriminately carry out any mass surveillance. To ensure this, henceforth companies will be able to report the number of access requests they have received. There will also be an ombudsperson, independent from any intelligence agencies to whom individuals can approach for redress.
The European Commission and the U.S. Department of Commerce, along with U.S. intelligence experts and European Data Protection Authorities will oversee the monitoring of the Privacy Shield. The European Commission will issue a public report based on the annual joint review and from other sources of information to the European Parliament and to the Council.
U.S. companies importing personal data from Europe will be subject to strong obligations of ensuring an adequate level of protection. They must self-certify annually that they meet the requirements and will have to display their privacy policy on their websites. Additionally, U.S. companies transferring personal data to third parties must ensure the same level of protection will be afforded as to those participating in the Privacy Shield. The U.S. Department of Commerce is now responsible for monitoring compliance and imposing sanctions or exclusions upon U.S. companies where required.
Individuals now have several redress possibilities. Individuals can complain to the relevant company directly and the company must reply to the individual’s complaint within 45 days. Alternatively, individuals can also seek redress through Alternative Dispute Resolution (ADR) which will be cost free.
The Data Protection Authorities will also work closely with the U.S. Department of Commerce and Federal Trade Commission to ensure that complaints made by EU citizens over the use of their personal data are investigated and resolved expediently. Furthermore, there is also a Privacy Shield Panel; the Panel will act as an arbitration mechanism by providing an enforceable decision – although this option should only be used as a final resort.
Accordingly, the Privacy Shield was formally adopted on 12th July 2016 and U.S. companies will be able to certify with the U.S Department of Commerce from 1st August 2016.
In light of the same, whilst for large organisations self-certifying may not present too much difficulties, for smaller companies, they will no doubt have to consider the cost versus the benefit they will endure by ratifying to the new policies. This could in most cases mean that existing working practices, as well as procedures and protocols would have to be amended. Additionally, contracts concerning onward transfers with third parties may also need to need to be renegotiated.
The Privacy Shield clearly shows a positive commitment from the EU to upholding the rights of its members and a positive step from the U.S. by recognising the need for transparency and placing limitations when dealing with personal data.
The above is a general position of the law and does not constitute legal advice. Please do not hesitate to contact Nath Solicitors for further information.