Following the ECJ’s decision in October 2015 declaring the former Safe Harbor transatlantic data flow framework between the EU and US null and void, the European Commission and the US Department of Commerce finally issued the legal documents constituting the successor framework, the “Privacy Shield”, on 29 February 2016.
Political agreement on the Privacy Shield had already been confirmed in early February 2016, with a commitment by the European Commission that the legal documentation would follow by the end of the month.
While the Privacy Shield is not yet in force – the Article 29 Working Party, composed of the EU Member States’ Data Protection Commissioners, will review and issue an opinion on the documentation in mid April, following which the European Commission will adopt a decision – it is clear from the text made available yesterday afternoon that the new Privacy Shield is “oceans apart” from the former Safe Harbor framework.
The underlying model remains the same, with US organisations being required to annually self-certify to the US Department of Commerce their adherence to a core set of enhanced privacy principles and publicise their compliance in publicly available privacy policies.
How Privacy Shield provides bite to complaints
However, most importantly, the Privacy Shield now has “teeth”. EU individuals can now raise complaints concerning the handling of their personal data directly with the US organisations concerned. US organisations must deal with complaints received expeditiously. If US organisations do not comply with the Privacy Shield privacy principles, the US Department of Commerce now has a review role, with investigatory support from the US Federal Trade Commission. EU individuals can liaise with their national Data Protection Commissioner (the Information Commissioner’s Office in the UK), who is empowered to work with the US Department of Commerce and the European Commission with a view to obtaining an appropriate resolution to complaints received. Complaints can also be filed with a Privacy Shield Panel, comprising twenty arbitrators selected by the US Department of Commerce and the European Commission, who are able to provide non-financial relief to affected EU individuals.
The ultimate sanction for a US organisation is removal from the Privacy Shield framework, which concomitantly requires the return or deletion of personal data received from EU organisations. US organisations need to consider an alternative solution to regulate the data transfer from EU organisations, including the European Commission’s model data transfer clauses.
The Privacy Shield framework includes safeguards against US government access to the personal data of EU citizens, which came to light as a consequence of the Edward Snowden revelations.
The efficacy of the Privacy Shield is to be reviewed on an annual basis by the US Department of Commerce and the European Commission. This should help ensure the continued relevance and effectiveness of the framework.
Is Privacy Shield the answer to data flow regulation?
The importance of the Privacy Shield cannot be overestimated. Transatlantic data flows between the EU and the US are imperative for the global economy. Some of the largest companies in the world, including Apple, Facebook, Google, Twitter and Yahoo, rely on these data flows for their continued operation.
The Article 29 Working Party’s opinion is awaited with interest. While the Privacy Shield does not ensure equivalence with the existing EU Data Protection framework (which dates back to 1995), it is likely that the Privacy Shield will have a short shelf-life in the light of the coming into force of EU General Data Protection Regulation in summer 2018, at which point, a replacement framework, Privacy Shield 2.0, will require to be put in place.
Get in touch
If you have any queries about the issues raised in this article, please don't hesitate to get in touch.