EU-U.S. Privacy Shield – new transatlantic data protection rules in force
On 12 July 2016 the European Commission adopted the EU-U.S. Privacy Shield (Privacy Shield). This new legal framework aims to protect the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as to bring legal clarity for businesses relying on transatlantic data transfers. The European Commission’s "adequacy decision" was notified to the Member States and thereby entered into force immediately. On the U.S. side, the Privacy Shield framework was published in the Federal Register on 2 August 2016. The U.S. Department of Commerce has now started operating the self-certification process and offers the opportunity for organizations to participate at the following website: https://www.privacyshield.gov/welcome.
The Privacy Shield reflects the requirements set out by the European Court of Justice (ECJ) in its ruling on 6 October 2015 (“Schrems Decision”), which declared the former Safe Harbour framework invalid. In 2016 the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic exchanges of personal data for commercial purposes: the Privacy Shield. Following the opinion of the article 29 working party (data protection authorities) and the European Parliament resolution, the European Commission finalised the adoption procedure.
Changes by the Privacy Shield compared with Safe Harbour
Many of the principles which form the basis of the Privacy Shield may be known to organizations which already in the past made use of the Safe Harbour certification. However, some new aspects have to be taken into account:
- Participants must review and eventually re-draft their privacy policies to ensure full compliance. Such policies have to be published.
- The U.S. Department of Commerce will monitor compliance with the new principles. Participants who repeatedly fail to comply will be removed from the Privacy Shield list.
- A participant will be liable for any onward data transfer to third parties. Reasonable and appropriate steps must be taken to ensure that also the recipient processes personal data only in accordance with the Privacy Shield’s regulations.
- Participants have to offer a free dispute resolution mechanism and must submit to binding arbitration at the request of the individual to address any complaint that has not otherwise been resolved.
- The U.S. Department of Commerce Cooperation may claim full cooperation from a Participant for answering any request or inquiry in relation to compliance with the Privacy Shield.
- Any relevant Privacy Shield-related section of a compliance or assessment report submitted to the Federal Trade Commission (FTC) must be made public, if the Participant becomes subject to an FTC or court order based on non-compliance.
Companies that were certified under Safe Harbour will most likely rely on the Privacy Shield and should start registration immediately. Companies exercising transatlantic data transfers and not yet being certified may do likewise. Alternative arrangements to protect transatlantic data transfer in accordance with the rules outlined by the European Court of Justice will become less advisable since they require much more attention and appear to increase the risk of non-compliance.
Dr. Tilo Jung