Tag: EU – US Privacy Shield

EU-U.S. Privacy Shield is being challenged

28. October 2016

As the website of the European Court of Justice just released, is the EU-U.S. Privacy Shield being challenged by Digital Rights Ireland, an Irish privacy advocacy group.

The facts of this case (Digital Rights Ireland v Commission; Case T-670/16) are as follows:

  • Digital Rights Ireland has filed an action for annulment against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield.
  • There has been no comment from Digital Rights Ireland yet.
  • No documents have been published with regard to the case so far.
  • However, as HuntonPrivacyBlog reported “(…) media sources quote a spokesperson for the European Commission acknowledging the case and stressing the European Commission’s conviction that the Privacy Shield meets all legal requirements.”

Google Analytics joins EU-U.S. Privacy Shield

31. August 2016

On its blog Google Analytics announced on the 29th of August that they have self-certified to the EU-U.S. Privacy Shield.

The statement describes the EU-U.S. Privacy Shield as a new framework for transfers of personal data from Europe to the United States, which can be seen as a significant milestone for the protection of Europeans’ personal data, legal certainty of transatlantic businesses, and trust in the digital economy.

Therefore, Google has now committed that they comply with the Privacy Shield’s principles and furthermore that they will safeguard the transfers of personal data, whereas no action is required from their customers.

EU Commission announces formal adoption of the EU-U.S. Privacy Shield

13. July 2016

The EU Commission announced yesterday the formal adoption of the EU-U.S. Privacy Shield. Both, the EU Commission Vice-President, Andrus Ansip, and the EU Commissioner Vera Jourová highlighted the positive impact of the Privacy Shield not only for businesses, but especially for EU citizens, whose right to data protection will be enforced and several mechanisms will implemented in order to safeguard their rights.

The main aspects of the final draft of the EU-U.S. Privacy Shield are:

  • U.S. companies handling EU personal data will be subject to stricter obligations. For instance, the American Department of Commerce will review regularly that the participating companies comply in practice with the commitments of the Privacy Shield. In case of incompliance, the company will face not only fines, but will be also removed from the list.
  • The U.S. has ensured that bulk collection of EU citizens’ data will be carried out only if certain conditions are met and it will be as targeted and focused as possible. Also, a redress mechanism will be available for EU citizens to solve this kind of issues.
  • Individual rights will be effectively protected through the implementation of dispute resolution mechanisms, which will be affordable and accessible for EU citizens. In case that the dispute is not resolved, an arbitration mechanism will be also available. If the dispute refers to U.S. national security Authorities, an independent Ombudsperson will handle the issue.
  • The Privacy Shield will be subject to an annual review by the EU Commission and the U.S. Department of Commerce in order to monitor its functioning.

Next steps

The Privacy Shield constitutes an “adequacy decision”. This decision has been notified to the EU Member States by the EU Commission and will enter into force immediately. Additionally, it will also be published on the U.S. Official Journal.

Starting August 1st, the U.S. Department of Commerce will start processing membership requests. This means that companies that wish to certify and become members of the EU-U.S. Privacy Shield will have to review and if appropriate update their privacy programs.

Furthermore, the EU Commission will publish a guidance in order to inform EU citizens about the dispute resolution mechanisms available under the Privacy Shield.

What happens with the GDPR?

The GDPR lays down stricter requirements to carry out international data transfers than those of the Privacy Shield. As the GDPR will enter into force in two years, U.S. companies will have to be compliant also with the requirements of the GDPR.

However, this situation has been already addressed in two directions: on the one hand, the Privacy Shield will be subject to an annual review, as mentioned above; and on the other hand, the Privacy Shield states that its scope of application refers to data transfers and processing of personal data by U.S. companies as far as the processing does not fall under the scope of EU legislation.

The EU-U.S. Privacy Shield has been approved

11. July 2016

On the 8th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and the Commissioner Vera Jourová announced in a joint statement that the EU Member States have approved the updated draft of the EU-U.S. Privacy Shield. However, Austria, Bulgaria, Croatia, and Slovenia abstained from voting.

The statement remarks that the Privacy Shield will ensure a high data protection level for EU citizens, because it imposes stronger obligations for U.S. companies. Specially regarding the bulk collection of personal data from EU citizens by American authorities.

The formal adoption of the Privacy Shield is expected this week.

Although the EU-U.S. Privacy Shield has been approved, the legality of the agreement could be challenged, as occurred with the former Safe Harbor Framework.

EU-U.S. Privacy Shield: approval expected within this week

4. July 2016

The EU Commission and American negotiators reached last week an agreement regarding the final draft of the EU-U.S. Privacy Shield. Now, the EU Commission has sent this draft to the Article 31 WP, who is expected to issue an opinion by tomorrow. If so, the EU-U.S. Privacy Shield will be implemented by the end of this week. Also, the final draft has been sent to the EU Parliament. The EU Parliament can issue an opinion, but cannot block its approval.

The Article 31 WP will meet today to review the text. Normally, the committee has two weeks to issue an opinion but the EU Commission expects an approval already this week.

Agreement by EU and U.S. negotiators on final changes on the Privacy Shield

28. June 2016

After several months of negotiations regarding the legitimating instruments to carry out international data transfers, EU and U.S. negotiators agreed last week on the final changes of the proposed EU-U.S. Privacy Shield.

The initial draft of the EU-U.S. Privacy Shield was criticized by several European Institutions such as the Article 29 WP, the EDPS, Article 31 WP and the UK Data Protection Authority (ICO) for not offering enough safeguards for EU citizens regarding the protection of their personal data upon data transfers to the U.S.

The main critic of the EU-U.S. Privacy Shield was focused on the independency of the ombudsman and on the massive surveillance activities from American Authorities. Additionally, a follow up control mechanism regarding compliance with the EU-U.S. Privacy Shield was required by European negotiators.

EU and U.S. negotiators have agreed to improve the above mentioned aspects in order to ensure more guarantees on the protection of EU citizens’ personal data:

  • The White House committed in writing to collect EU personal data only under certain circumstances and for targeted purposes.
  • Data retention periods have been defined concretely: organizations will be obliged to delete personal data that is no longer needed for the purposes for which it was originally collected.
  • The proposal will include a specification that the ombudsman will be an independent institution.

As a next step, the Article 31 WP, made up of representatives of the EU Member States, will decide if the amended text complies with European Data Protection legislation. Both, the EU Commission and the U.S. Government hope that the EU-U.S. Privacy Shield enters into force by August 2016.

Implications for the UK

After UK citizens have voted to leave the EU, a two-year-negotiation between the EU and the UK Government will take place. During this time, UK organizations will have to comply with European legislation, also regarding international data transfers. When the UK ceases to be an EU Member State, it will be considered as being a third country in terms of international data transfers and will have to ensure enough safeguards regarding the protection of personal data.

German DPA fines three companies for illegal data transfer to the U.S.

7. June 2016

The Data Protection Authority of Hamburg just announced in a press statement that it checked the data transfers of 35 international organizations that are based in Hamburg.

After the judgment declaring the former Safe Harbor Framework by the European Commission invalid  in October 2015 by the European Court of Justice, the DPA contacted organizations in Hamburg operating also in the U.S. and reviewed the transfer of personal data to the U.S. in order to determine whether other instruments are used than the Safe Harbor Framework. According to the mentioned press statement, the review has revelied that the majority of the companies had changed the legal basis of their transfers of data by implementing standard contractual clauses (SCC).

However, according to a report by Spiegel Online, there were three companies that did not change their legal basis for data transfer. Therefore, the three companies were fined:

Adobe (8.000 Euros), Punica (9.000 Euros) and Unilever (11.000 Euros)

As all three companies have changed the legal basis for data transfering during the proceeding, the DPA imposed a fine that was significantly smaller than the maximum of 300.000 Euros.



European Data Protection Supervisor issues opinion on EU-U.S. Privacy Shield

1. June 2016

The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued this week his opinion on the EU-U.S. Privacy Shield. The EDPS is an independent EU institution created in 2004 that assesses EU institutions on policies and legislation related to privacy and data protection and cooperates with authorities in these matters.

The EDPS emphasized on the following key aspects related to the EU-U.S. Privacy Shield:

  • The current draft is not solid enough and improvements should be made in order to withstand scrutiny before the ECJ.
  • The Privacy Shield should offer a long-term solution regarding international data transfers to the U.S.
  • The protection provided by the Privacy Shield should ensure the rights to redress, transparency, data privacy and oversight.
  • It should also prevent from indiscriminate surveillance by American authorities.
  • The draft should comply with the GDPR, including international data transfers.
  • International companies should be aware of and comply with their obligations on privacy and data protection issues.

To sum up, the Privacy Shield should offer an equivalent data protection level to that existing in the EU.

Category: EU · General
Tags: ,

Renegotiation of the Privacy Shield

The European Parliament approved a resolution concerning the European Commission reopening negotiations with US authorities on the EU-US Privacy Shield last week. Furthermore, the resolution intends to implement the recommendations of the Article 29 Working Party on the draft Privacy Shield adequacy decision.

The resolution that was approved by the majority of members of the European Parliament says that the executive still needs to improve the data transfer deal allowing US authorities to collect EU citizens’ data.

Although the Parliament’s opinion is not binding, it builds up pressure on the Commission in order to increase the level of data protection in the much discussed agreement.

After the Safe Harbour agreement was declared invalid last October due to the fact that it did not protect European citizens’ data once they were sent to the USA, the executive is now behind schedule as EU Justice Commissioner Vera Jourova and Digital Commissioner Günther Oettinger initially stated that the new agreement should go into effect by the end of June. However, in order for that to happen a group of diplomats from European member states have to sign their approval first. Nevertheless, although the diplomats were expected to vote on the Privacy Shield last week, they delayed their final decision as they scheduled new meetings up until the end of June.

Generally, the Commission has already finished the negotiations concerning the Privacy Shield with US authorities, though clarification on some points is needed. Commission spokesman Christian Wigand described the clarifications as realistic changes and not a drastic renegotiation of the agreement.

However, the Parliament’s resolution intends to take criticism from national privacy protectors of the European member states “fully” into account.

Category: EU · Safe Harbor · USA

Update EU-U.S. Privacy Shield: Article 31 needs more time to consider the implications of the proposal

23. May 2016

On the 19th May, the Article 31 Committee, made up of representatives of the EU Member States, met in order to discuss the implications of the proposed draft of the EU-U.S. Privacy Shield. The Article 31 was created in order to reach decisions that require the approval of the EU Member States according to the Data Protection Directive 95/46/EC. This is the case, for example of the adoption of adequacy decisions, such as Safe Harbor in the past or the EU-U.S. Privacy Shield currently.

Article 31 concluded that it needed more time to reach a decision about the proposal. Moreover, a source of the Commission affirmed that further meetings in May and early June will take place. Also, the recommendations of the Article 29 WP are being taken into consideration before reaching a decision.

The decision of the Article 31 is expected by the end of June. The EU-U.S. Privacy Shield can be only adopted if a qualified majority of 16 Member States representing 65 percent of the EU population votes for the adoption of the Privacy Shield.

Until a decision is reached, Standard Contractual Clauses and Binding Corporate Rules can still be used to carry out international data transfers on a legal basis.

Pages: 1 2 Next
1 2