by Laura Fannin August-25-2016 in Commercial & Business, Data Protection
The European Commission’s Privacy Shield aims to address the legal uncertainty around the commercial transfer of personal data between the EU and the US. Laura Fannin outlines the key data protection and compliance issues.
In October 2015, a ruling by the Court of Justice of the European Union (CJEU) in the Schrems case invalidated the Safe Harbour regime – an agreement on EU-US data transfer. Privacy Shield, the European Commission’s Schrems-compliant replacement for Safe Harbour, has now become law.
After two and a half years of negotiations between the EU and the US, the European Commission finally adopted the Privacy Shield on 12 July 2016. The Privacy Shield became effective immediately and companies have been able to self-certify with the US Department of Commerce from 1 August 2016. As of today’s date approximately 40 US companies have self-certified according to a list released by the US Department of Commerce. The list includes Microsoft and Salesforce Inc.
The Schrems decision
In the EU, the general rule is that personal data cannot be transferred to a third country unless that country ensures an adequate level of data protection. In assessing the adequacy of the protection the European Commission considers the laws in force in that country and the security measures in place.
The Safe Harbour regime, established in 2000, was a voluntary initiative which provided a legal basis for transfer of personal data from the European Union to the US. It allowed US organisations to self-certify annually to the US Department of Commerce that their processing of EU personal data was undertaken in accordance with seven Safe Harbour privacy principles concerning notice, choice, onward transfer, access, security, data integrity and enforcement.
The Schrems case arose from a complaint to the Irish Data Protection Commissioner by Max Schrems, an Austrian national. He was concerned by Edward Snowden’s revelations in 2013 of alleged mass surveillance by US security authorities of personal data and asked the Irish Data Protection Commissioner to investigate whether there was adequate protection for his personal data that was transferred by Facebook Ireland to Facebook US.
The CJEU decided in favour of Mr Schrems because:
• In approving the Safe Harbour regime the Commission had failed to ensure that the US provided a level of protection of personal data which was essentially equivalent to that guaranteed within the EU
• The Safe Harbour agreement potentially deprived data subjects of their right of access to data protection supervisory authorities who are vested with the authority to exercise independent oversight of data controllers within their jurisdiction.
The Privacy Shield
In February 2016 the Commission published details of the Privacy Shield, the proposed new framework for commercial data transfers between the EU and the US. It has now replaced Safe Harbour.
The Privacy Shield is based on a system of self certification by which US organisations commit to a set of seven key privacy principles:
1. Notice. The organisation must provide information to individuals on a range of items, including its participation in the Privacy Shield, the types of data collected, the purposes for which the data is collected and used and the right of access.
2. Choice. Individuals may opt out of the disclosure of their data to a third party and the use of their data for a new, materially different purpose to the original purpose. In the case of sensitive personal data, organisations must obtain the consent of the data subject by way of an opt-in.
3. Security. The organisation must take reasonable and appropriate security measures, taking into account the nature of the data.
4. Data integrity and purpose limitation. Organisations must limit the personal data to what is relevant for the purpose of processing. It must be accurate, complete and current.
5. Access. Data subjects have the right to obtain from an organisation confirmation of whether the organisation is processing their personal data and to a copy of that data.
6. Accountability for onward transfer. For onward transfers to a third party controller, organisations are required to enter into certain contracts, and are constrained in their ability to engage in onward transfers.
7. Recourse, enforcement and liability. The Privacy Shield scheme creates a series of recourse mechanisms to which organisations will be subject, including enforcement by the Department of Commerce and independent authorities such as the Federal Trade Commission. It provides for the creation of an Ombudsperson and investigation by a panel of European data protection authorities.
Special rules providing additional safeguards apply or human resource data collected in an employment context. For instance, employers should accommodate the privacy preferences of employees by restricting access to the personal data, anonymising certain data or assigning codes or pseudonyms.
The US government has given written assurances that any access to personal data by US authorities will be subject to clear limitations and oversight mechanisms. Further, there will be no indiscriminate or mass surveillance of European personal data.
The Privacy Shield contains a number of avenues for redress for data subjects if they have concerns about the processing of their personal data. In the first instance a data subject may lodge a complaint with the company itself. Data subjects may make a complaint to the relevant national data protection authority, which will refer it to the US Department of Commerce or the Federal Trade Commission. There is also an alternative dispute resolution procedure which organisations must sign up to. In addition there is a Privacy Shield Ombudsperson to whom data subjects can complain to if they are concerned that there has been unlawful use of their data by US authorities.
Early days of the Privacy Shield
The Privacy Shield was formally adopted by the Commission following a consultation process including a review by the Article 29 Working Party, which is a collective group of European data protection authorities. The working party acknowledged that the Privacy Shield is a significant improvement on the Safe Harbour framework and that many of the shortcomings of the Safe Harbour framework it had previously identified had been addressed by the Privacy Shield. However, the working party recommended greater clarity in the language used in the draft and expressed concerns with respect to both the commercial and national security aspects of the Privacy Shield.
The net result is a new framework that aims to bring legal clarity which the Commission says lives up to the requirements of the European Court of Justice's decision in the Schrems case. Read more on the Commission's decision here, including a Privacy Shield factsheet.
http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm
Back to Full News
Share this article:
About the Author
Laura Fannin
Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.