Category: EU-U.S. Privacy Shield

Trust in current mechanisms to carry out international data transfer decreases

1. September 2016

According to a survey conducted recently by the International Association of Privacy Professionals (IAPP), trust in current legal mechanisms to carry out data transfers to third countries, such as Standard Contractual Clauses and the EU-U.S. Privacy Shield, has decreased.

The results of this survey reveal that 80 percent of companies relies on the Standard Contractual Clauses approved by the EU Commission to carry out international data transfers, especially to the U.S.A. However, there is currently uncertainty regarding the validity of the Standard Contractual Clauses, which may be also invalidated by the ECJ, as already occurred with the former Safe Harbor framework.

Regarding the EU-U.S. Privacy Shield, which is operative since 1st August, the survey reveals that only 42 percent of U.S. companies plan to self-certify through this new framework, compared to the 73 percent that conducted self-certification with the Safe Harbor framework. The main reason for this may be related to the uncertainty regarding its validity. The Article 29 WP stated recently that the first annual review of the Privacy Shield will be decisive.

Finally, Binding Corporate Rules (BCR) are also used by companies to carry out intra-group data transfers. However, there are several reasons why not many companies implement them. One of these reasons relates to the high costs involved with the implementation. Moreover, the implementation process can last over one year. Also, BCR can be only used for international data transfers within the group, so that other mechanisms shall be used if data transfers outside the group take place.

How to join the EU-U.S. Privacy Shield?

23. August 2016

In order to join the EU-U.S. Privacy Shield a company has to self-certify and therefore ensure the following requirements:

     1. The eligibility of the company has to be confirmed in order to participate in the

          EU-U.S. Privacy Shield.

     2. Development of a Privacy Policy that is compliant to the EU-U.S. Privacy Shield.

  • The Privacy Policy has to comply with the EU-U.S. Privacy Shield Principles.
  • The Privacy Policy has to refer to the Privacy Shield Compliance.
  • An accurate location for the Privacy Policy has to be provided and made sure that it is publicly available.

    3. Independent recourse mechanisms need to be identified.

  • Enforcement and Liability Principle: the company has to provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual.

   4. Verification mechanisms need to be in place.

  • The company is required to have procedures in place for verifying compliance through self-assessments or third party assessments.

     5. Implementation of a person of contact.

  • The company is required to provide a contact with regard to questions, complaints, access requests, and any other issues arising under the EU-U.S. Privacy Shield.

 

Furthermore, the company has to pay a fee depending on the annual revenue:

Company’s Annual RevenueFee
$0 to $5 million$250
Over $5 million to $25 million$650
Over $25 million to $500 million$1,000
Over $500 million to $5 billion$2,500
Over $5 billion$3,250

EU-U.S. Privacy Shield – What does it mean in practice?

17. August 2016

Concerning U.S.-American Companies:

  • Annual self-certification that they meet the requirements
  • Displaying the privacy policy on their website
  • Replying in a reasonable period of time to any complaints
  • In case human resources data is processed: cooperation and compliance with European Data Protection Authorities

Concerning European Individuals:

  • More transparency about the transfer of personal data to the U.S. and an increase of the protection level of this data.
  • Cheaper and easier redress possibilities in case of complaints: either directly towards the company or with the support of the respective Data Protection Authority.

 

List of approved companies under the EU-U.S. Privacy Shield was released

16. August 2016

list was released last week containig about 40 companies that have been approved under the EU-U.S. Privacy Shield.

A spokesman of the Department of Commerce commented that this list would be updated continuously. He went on by saying that “There are nearly 200 applications currently involved in our rigorous review process.”

Nevertheless, the Wall Street Journal just released an article mentioning that due to the lack of legal uncertainty of the EU-U.S. Privacy Shield, companies demonstrate restraint in joining the agreement.

However, “we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids” concluded Jay Cline working with PwC.

Is there a high risk that the Privacy Shield will be invalidated?

5. August 2016

Having in mind that the European Court of Justice declared Privacy Shield’s predecessor, Safe Harbor, invalid, the Head of the Hamburg data protection authority, Prof. Dr. Johannes Caspar, would like to ask the European Court of Justice whether it thinks that the Commission’s decision to strike the data-transfer deal was valid.

Due to the fact that there might be upoming legal changes in Germany Caspar hopes that those will make it possible for the country’s DPAs to challenge adequacy decisions.

An E-Mail was published quoting Caspar saying that “The decision of the EU Commission concerning the Privacy Shield constitutes a new legal ground for data subjects, which is a binding document for all members of the [Article 29 Working Party of data protection authorities],” and going on “On the other hand, I have serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the [CJEU’s] Safe Harbor judgement.” Caspar went on commenting that “It is expected that sooner or later the CJEU will assess whether the access by public U.S. authorities to personal data transferred under the Privacy Shield is limited to what is strictly necessary and proportionate in a democratic society. If there is a legal way to seek reference to the CJEU – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision.”

Due to the fact that the GDPR is a regulation rather than a directive, it does not require transposition into national laws. However, the German government debates about new legislation in order to make German data protection law compliant with the GDPR. However, in July the German government issued a statement saying it is working on the new legislation but not mentioning whether this also includes that DPAs are able to challenge adequacy decisions.

Furthermore, Caspar commented that the Article 29 Working Party’s next opportunity to question the Privacy Shield will come in a year’s time, “if the Shield will still be in force”.

However, not only Caspar shows a sceptical point of view towards the Privacy Shield, Thomas Jansen, a partner with DLA Piper in Munich stated that “Many [European] data protection and privacy experts see a high risk that the Privacy Shield will be invalidated”.

 

Privacy Shield: the first applications were submitted

4. August 2016

Although companies began submitting their application to join the EU-U.S. Privacy Shield, the U.S. Department of Commerce did not immediately list their compliance.

Among others, Microsoft was one of the first businesses to certify that it complied with the new rules for transferring European Union citizens’ personal data to the U.S.

On its blog Microsoft published a statement by Vice President for EU Government Affairs John Frank saying “We expect it to be approved in the coming days”.  Furthermore, he said “Going forward, any data which we will transfer from Europe to the U.S. will be protected by the Privacy Shield’s safeguards.”

The process for joining the EU-U.S. Privacy Shield includes a self-certification, which is charged by the U.S. Department of Commerce. The fee for processing their annual applications and adding them to the register ranges from $250 for organizations with revenue under US$5 million up to $3,250 for those with revenue over $5 billion.

However, organizations also have to pay in order to join an arbitration service or in terms of data protection authorities dealing with complaints.

 

Category: EU · EU-U.S. Privacy Shield · USA
Tags:

EU-U.S. Privacy Shield operational since August, 1st

2. August 2016

The EU Commission announced yesterday the full operability of the agreed EU-U.S. Privacy Shield as substitute of the former Safe Harbor Framework. The Department of Commerce will verify the privacy policies of the U.S. Companies that sign up the Privacy Shield in order to ensure that they comply with the standards agreed on the new framework.

Furthermore, the EU Commission has also published a citizen’s guide regarding how their rights will be ensured and how to address complaints if they consider that their rights have not been respected. Amongst others, EU citizens have the right to access the data an organization holds about them, to correct their data if this is inaccurate or incorrect, to have access to the different dispute resolution mechanisms, etc.

U.S. Secretary of Commerce Penny Pritzker also made a statement regarding the launch of the new framework: “After more than two years of discussions, it is time to implement the new EU-U.S. Privacy Shield Framework with our partners in Europe and companies on both continents. With the Privacy Shield in place, businesses will be able to protect privacy and truly seize the opportunities offered by the transatlantic digital economy. More than $260 billion in digital services trade is already conducted across the Atlantic Ocean annually, but there is significant potential for this figure to grow, resulting in a stronger economy and job creation. The Privacy Shield opens a new era in data privacy that will deliver concrete and practical results for our citizens and businesses.”

Article 29 WP issues statement about the adopted EU-U.S. Privacy Shield

27. July 2016

The Article 29 WP issued on the 26th July a statement about the adopted EU-U.S. Privacy Shield. After its previous opinion on the Privacy Shield (opinion WP 238), the WP 29 welcomes the improvements brought by the final draft, but it remarks that there are still some concerns, already addressed in the Opinion WP 238, that have not been clarified yet.

Regarding commercial aspects, the Privacy Shield does not specifically address issues related to automated decision making or the general right to object. Furthermore, it is not clear the impact that the Privacy Shield shall have on data processors.

A further concern relates to the access to personal data by American public authorities. The WP 29 had expected stricter assurances that the institution of the Ombudsman is independent. Additionally, there are neither enough assurances, that a massive collection of EU citizens’ personal data will not take place.

Despite the lack of clarity in some aspects of this new framework, the WP 29 will wait until the first annual review takes place to assess the effectiveness of the EU-U.S. Privacy Shield. The result of the first annual joint review may also involve considering the effectiveness of Binding Corporate Rules and Standard Contractual Clauses.

U.S. Negotiators clarify EU-U.S. Privacy Shield

19. July 2016

Recently, the European online newspaper POLITICO published an interview conducted with the two lead U.S. negotiators of the Privacy Shield: Justin Antonipillai, counselor to Commerce Secretary Penny Pritzker and acting undersecretary of commerce for economic affairs, and Ted Dean, a deputy assistant secretary in the department.

Antonipillai explained the EU-U.S. Privacy Shield as “a program to allow companies to transfer data from the EU to the U.S. in a way that meets requirements under European privacy laws”. He remarked that the main objective of the Privacy Shield is to make both, companies and EU citizens, confident that the requirements to transfer personal data are being meet.

He also explained how American and European different methodologies to ensure privacy and data protection have converged in order to agree on the Privacy Shield. According to Antonipillai, an important fact is that companies are certifying and following the principles voluntarily.

Dean also recognizes that the Privacy Shield may be challenged in court. But he adds that the current framework has been built up and discussed with EU Institutions and European DPAs and there is an interest from both sides on a long-term duration of the new framework. Finally, he stated that the impact of the “Brexit” on international personal data transfers cannot be predicted in advance.

Pages: Prev 1 2 3
1 2 3