The European Commission has officially adopted the EU-U.S. Privacy Shield arrangement. EU Justice Commissioner Věra Jourová announced at a press conference with U.S. Department of Commerce Secretary Penny Pritzker. “Ladies and Gentlemen, I am very pleased to announce that this morning the European Commission has adopted the decision on the EU-US Privacy Shield, the new data protection framework for transatlantic transfers of personal data,” said EU Justice Commissioner Věra Jourová
Since we heard back in 2015 that the Court of Justice of the European Union (CJEU) ruled that Safe Harbor isn’t an adequate means of ensuring data protection, we’ve been keen to hear about how these changes are going to happen, as every marketer needs to be aware of them. So we interviewed to our favorite expert on such matters, Steve Henderson, Compliance Office with Communicator.
What is it?
A replacement to Safe Harbor: A means of allowing data flows between EU and U.S. companies while maintaining a high standard of protection for European’s personal data. Specifically, Privacy Shield provides rules for transatlantic data retention and sharing, gives Europeans safeguards and legal redress for breaches, strengthens enforcement, introduces an independent oversight body, and clarifies data collection practices by U.S. security agencies.
How is it different from Safe Harbor
Regular updates and reviews of participating companies, placing more obligations on companies handling data, while allowing the flexibility to adapt to changes in technology and data use.
Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms.
Annual joint review mechanism between the European Commission and the U.S. Department of Commerce mechanism. The review will monitor the effectiveness which will allow the Privacy Shield mechanism to remain responsive to change.
How it works
The Privacy Shield, similar to Safe Harbor, is based on a system of self-certification where organisations commit to The Principles of the agreement. The Principles apply to both data controllers and processors, with “the specificity that processors must be contractually bound to act only on the instructions from the EU controller and assist the later in responding to individuals exercising their rights under the Principles.”
The 7 Principles are:
Notice
Choice
Data Integrity and Purpose
LimitationAccess
Accountability for Onward Transfer
Security
Recourse, Enforcement and Liability
When will the Privacy Shield be effective?
U.S. companies will be able to be Privacy Shield certified with the Commerce Department from 1st August 2016 What does it mean for you in practice?
U.S. companies will have to:
Self-certify annually that they meet the requirements
Display privacy policy on their website
Reply promptly to any complaints
Cooperate and comply with European Data Protection Authorities.
For European individuals U.S. processors will have to adhere to EU-style data processing limitationsIn line with EU principles, U.S. processors can only process personal information that is “relevant for the purposes of processing” and may not Moreover “process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.” This language will be very familiar to anyone already operating in the EU.
EU Companies wishing to transfer data to (or otherwise give access to) U.S. companies
As with any agreement where data sharing, data transfers or data access is involved, due diligence should be performed.
Part of this due diligence should be to make sure that there is a legal basis for the data transfer.
Working with U.S. parters and technology providers who are Privacy Shield accredited will help demonstrate this legal basis
What about Brexit – Does this change what UK companies should do?
Assuming the UK wishes to trade with EU organisations and provide products and services to people in mainland Europe, the UK will have to have adequate data protection laws.
This means the UK will need to apply the GDPR or an equivalent set of standards.
Under the GDPR or an equivalent, if a UK organisation wished to transfer data to a U.S. organisations, they would need to demonstrate a legal basis for that data transfer – as with E.U. organsiations; Working with U.S. parters and technology providers who are Privacy Shield accredited will help demonstrate this legal basis.
What to look out for in the future
Templates, frameworks and other practical advice from industry bodies and regulators.Privacy Shield provisions will also be extended to alternative data transfer mechanisms, such as EU Model Clauses Article 29 Working Party to analyse the deal and give their recommendations.
With the GDPR coming into force in 2018 expect the Privacy Shield obligations on controllers and processors to increase in line with the GDPR. As such organisations on both sides of the Atlantic should understand the GDPR requirements and start taking steps towards those standards. Does everyone think it’s great?
No. MEP Jan Philipp Albrecht, who worked on the GDPR harshly criticised the Privacy Shield for not being to the standard of the GDPR and said the European Commission “just signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights.”Privacy activist Max Schrems states that “This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution.”
http://www.europe-v-facebook.org/PA_PS.pdf
Further Reading:
Full Press Release: http://europa.eu/rapid/press-release_IP-16-2461_en.htmEU
Fact sheet: http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_eu-us_privacy_shield_en.pdf
Privact Shield Privacy Principles: 2.1 Privacy Principles – Paragraphs 19-29, http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision_en.pdf
Last updated: Jul 26, 2016
