Update 4 March 2016: Privacy Shield takes a step forward – What are the implications for your company?
On February 29 the European Commission published a draft adequacy decision and texts, including the Privacy Shield Principles, creating a renewed framework for commercial data exchange that will later constitute the EU-US. Privacy Shield, a new arrangement for transatlantic data flows. The Commission also issued a Communication summarising the actions taken over the past years to restore trust in Trans-Atlantic data flows since the Snowden surveillance revelations in 2013.
We expect that the European Commission adopts the adequacy finding and once adopted, the Commission’s adequacy finding establishes that the safeguards provided when transferring data under the new EU-U.S. Privacy Shield correspond to data protection standards in the EU. The new framework is said to follow the requirements set down in the Schrems judgment.
This will have certain implications for U.S. subsidiaries or business partners in terms of compliance mechanisms for lawfully transferring personal data from the EU to certified U.S. organizations.
Practical Implications for Your Company
The major implications for your U.S. subsidiaries or business partners are that:
- they can voluntarily decide to self-certify under the EU-U.S. Privacy Shield, after which they are bound by the Privacy Principles. In this case, your U.S. subsidiaries or business partners must annually re-certify their participation in the framework in order to continue to rely on the Privacy Shield to receive personal data from the European Union.
- U.S. organizations that were previously certified in the Safe Harbour Program must assess how the new compliance requirements affect their existing privacy practices before they can accede to the new regime.
The Article 29 Working Party will adopt its opinion at the next plenary meeting on 12 and 13 April 2016, and altogether it is expected that the process leading to the adequacy finding will take several months.
Borenius can help ensure your compliance with the new regime. If you are interested in learning more about the topic or need to review your privacy practices or policies, please contact us at your convenience.
Legal Alert, 12 February 2016: The EU and the U.S. have agreed on a new framework for transatlantic data flows. The EU–U.S. Privacy Shield is expected to replace the Safe Harbour framework, which was declared invalid by the European Court of Justice in the Schrems case on 6 October 2015.
The details of the EU–U.S. Privacy Shield have not yet been made available, but the EU Commission has stated that the new framework reflects three key elements:
- Strong obligations on companies handling EU citizens’ personal data and robust enforcement
- Clear safeguards and transparency obligations on U.S. government access
- Effective protection of EU citizens’ rights with several redress possibilities
Before the final approval of the Privacy Shield framework, there is still a lot of work to be done. However, the EU–U.S. data transfer framework took a step forward on 9 February 2016 when the U.S. Senate passed the so-called Judicial Redress Act (“JRA”), which has been the prerequisite to a law enforcement data-sharing agreement between the EU and U.S., otherwise known as the “Umbrella Agreement”. Although passing the JRA has not been considered as a prerequisite for adopting the Privacy Shield arrangement, it has been argued that it plays an important role as a signal of trust and reliability.
In the EU, the next step is to prepare a draft “adequacy decision” in the coming weeks. Before adopting the decision, the College of Commissioners will consult the Article 29 Working Party (“WP29”) and a committee composed of representatives of the Member States.
The WP29 gave its statement on the consequences of the Schrems judgment on 3 February 2016 to clarify the situation and the impact on transfers of personal data from the EU to the U.S. and to assess the Privacy Shield framework. According to the statement, the WP29 will complete its assessment of all personal data transfers to the U.S. after receiving all the documents pertaining to the new arrangement.
The WP29 will also consider whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S. In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms.
Borenius follows the situation closely and will provide updates on the progress of this matter.