Category: International Data Transfers
13. July 2016
The EU Commission announced yesterday the formal adoption of the EU-U.S. Privacy Shield. Both, the EU Commission Vice-President, Andrus Ansip, and the EU Commissioner Vera Jourová highlighted the positive impact of the Privacy Shield not only for businesses, but especially for EU citizens, whose right to data protection will be enforced and several mechanisms will implemented in order to safeguard their rights.
The main aspects of the final draft of the EU-U.S. Privacy Shield are:
- U.S. companies handling EU personal data will be subject to stricter obligations. For instance, the American Department of Commerce will review regularly that the participating companies comply in practice with the commitments of the Privacy Shield. In case of incompliance, the company will face not only fines, but will be also removed from the list.
- The U.S. has ensured that bulk collection of EU citizens’ data will be carried out only if certain conditions are met and it will be as targeted and focused as possible. Also, a redress mechanism will be available for EU citizens to solve this kind of issues.
- Individual rights will be effectively protected through the implementation of dispute resolution mechanisms, which will be affordable and accessible for EU citizens. In case that the dispute is not resolved, an arbitration mechanism will be also available. If the dispute refers to U.S. national security Authorities, an independent Ombudsperson will handle the issue.
- The Privacy Shield will be subject to an annual review by the EU Commission and the U.S. Department of Commerce in order to monitor its functioning.
Next steps
The Privacy Shield constitutes an “adequacy decision”. This decision has been notified to the EU Member States by the EU Commission and will enter into force immediately. Additionally, it will also be published on the U.S. Official Journal.
Starting August 1st, the U.S. Department of Commerce will start processing membership requests. This means that companies that wish to certify and become members of the EU-U.S. Privacy Shield will have to review and if appropriate update their privacy programs.
Furthermore, the EU Commission will publish a guidance in order to inform EU citizens about the dispute resolution mechanisms available under the Privacy Shield.
What happens with the GDPR?
The GDPR lays down stricter requirements to carry out international data transfers than those of the Privacy Shield. As the GDPR will enter into force in two years, U.S. companies will have to be compliant also with the requirements of the GDPR.
However, this situation has been already addressed in two directions: on the one hand, the Privacy Shield will be subject to an annual review, as mentioned above; and on the other hand, the Privacy Shield states that its scope of application refers to data transfers and processing of personal data by U.S. companies as far as the processing does not fall under the scope of EU legislation.
11. July 2016
On the 8th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and the Commissioner Vera Jourová announced in a joint statement that the EU Member States have approved the updated draft of the EU-U.S. Privacy Shield. However, Austria, Bulgaria, Croatia, and Slovenia abstained from voting.
The statement remarks that the Privacy Shield will ensure a high data protection level for EU citizens, because it imposes stronger obligations for U.S. companies. Specially regarding the bulk collection of personal data from EU citizens by American authorities.
The formal adoption of the Privacy Shield is expected this week.
Although the EU-U.S. Privacy Shield has been approved, the legality of the agreement could be challenged, as occurred with the former Safe Harbor Framework.
4. July 2016
The EU Commission and American negotiators reached last week an agreement regarding the final draft of the EU-U.S. Privacy Shield. Now, the EU Commission has sent this draft to the Article 31 WP, who is expected to issue an opinion by tomorrow. If so, the EU-U.S. Privacy Shield will be implemented by the end of this week. Also, the final draft has been sent to the EU Parliament. The EU Parliament can issue an opinion, but cannot block its approval.
The Article 31 WP will meet today to review the text. Normally, the committee has two weeks to issue an opinion but the EU Commission expects an approval already this week.
28. June 2016
After several months of negotiations regarding the legitimating instruments to carry out international data transfers, EU and U.S. negotiators agreed last week on the final changes of the proposed EU-U.S. Privacy Shield.
The initial draft of the EU-U.S. Privacy Shield was criticized by several European Institutions such as the Article 29 WP, the EDPS, Article 31 WP and the UK Data Protection Authority (ICO) for not offering enough safeguards for EU citizens regarding the protection of their personal data upon data transfers to the U.S.
The main critic of the EU-U.S. Privacy Shield was focused on the independency of the ombudsman and on the massive surveillance activities from American Authorities. Additionally, a follow up control mechanism regarding compliance with the EU-U.S. Privacy Shield was required by European negotiators.
EU and U.S. negotiators have agreed to improve the above mentioned aspects in order to ensure more guarantees on the protection of EU citizens’ personal data:
- The White House committed in writing to collect EU personal data only under certain circumstances and for targeted purposes.
- Data retention periods have been defined concretely: organizations will be obliged to delete personal data that is no longer needed for the purposes for which it was originally collected.
- The proposal will include a specification that the ombudsman will be an independent institution.
As a next step, the Article 31 WP, made up of representatives of the EU Member States, will decide if the amended text complies with European Data Protection legislation. Both, the EU Commission and the U.S. Government hope that the EU-U.S. Privacy Shield enters into force by August 2016.
Implications for the UK
After UK citizens have voted to leave the EU, a two-year-negotiation between the EU and the UK Government will take place. During this time, UK organizations will have to comply with European legislation, also regarding international data transfers. When the UK ceases to be an EU Member State, it will be considered as being a third country in terms of international data transfers and will have to ensure enough safeguards regarding the protection of personal data.
7. June 2016
The Data Protection Authority of Hamburg just announced in a press statement that it checked the data transfers of 35 international organizations that are based in Hamburg.
After the judgment declaring the former Safe Harbor Framework by the European Commission invalid in October 2015 by the European Court of Justice, the DPA contacted organizations in Hamburg operating also in the U.S. and reviewed the transfer of personal data to the U.S. in order to determine whether other instruments are used than the Safe Harbor Framework. According to the mentioned press statement, the review has revelied that the majority of the companies had changed the legal basis of their transfers of data by implementing standard contractual clauses (SCC).
However, according to a report by Spiegel Online, there were three companies that did not change their legal basis for data transfer. Therefore, the three companies were fined:
Adobe (8.000 Euros), Punica (9.000 Euros) and Unilever (11.000 Euros)
As all three companies have changed the legal basis for data transfering during the proceeding, the DPA imposed a fine that was significantly smaller than the maximum of 300.000 Euros.
23. May 2016
On the 19th May, the Article 31 Committee, made up of representatives of the EU Member States, met in order to discuss the implications of the proposed draft of the EU-U.S. Privacy Shield. The Article 31 was created in order to reach decisions that require the approval of the EU Member States according to the Data Protection Directive 95/46/EC. This is the case, for example of the adoption of adequacy decisions, such as Safe Harbor in the past or the EU-U.S. Privacy Shield currently.
Article 31 concluded that it needed more time to reach a decision about the proposal. Moreover, a source of the Commission affirmed that further meetings in May and early June will take place. Also, the recommendations of the Article 29 WP are being taken into consideration before reaching a decision.
The decision of the Article 31 is expected by the end of June. The EU-U.S. Privacy Shield can be only adopted if a qualified majority of 16 Member States representing 65 percent of the EU population votes for the adoption of the Privacy Shield.
Until a decision is reached, Standard Contractual Clauses and Binding Corporate Rules can still be used to carry out international data transfers on a legal basis.
Pages: Prev 1 2 3 4 5 6 7 8 
