Tag: EU-U.S. Privacy Shield
4. August 2016
Recently, the IAPP (International Association for Privacy Professionals) published the results of a survey carried out by Baker & McKenzie regarding the perspectives and expectations that Privacy Professionals have about the changing legislative scope in the field of Data Protection.
The participants were senior managers and individuals involved in the fields of data protection and data security that belonged to multi-national organizations, government agencies, regulatory bodies or policy and academic institutions.
Most of the respondents acknowledge that both, GDPR and Privacy Shield, imply that organizations have to implement an action-plan accordingly. This will imply higher costs and efforts. Furthermore, 70% of the respondents stated that the most difficult requirements of the GDPR to comply with are consent, data mapping and international data transfers. A 45% stated that their organization does not have adequate tools currently to be compliant and implementing the required tools may be involved with significant costs.
Moreover, the majority of the participants recommended organizations to self-certify as soon as possible, so that they would still have nine months to make contractors also comply with the principles. Also, they believe that the Privacy Shield should be complemented by other mechanisms to transfer personal data such as Binding Corporate Rules or Standard Contractual Clauses.
2. August 2016
The EU Commission announced yesterday the full operability of the agreed EU-U.S. Privacy Shield as substitute of the former Safe Harbor Framework. The Department of Commerce will verify the privacy policies of the U.S. Companies that sign up the Privacy Shield in order to ensure that they comply with the standards agreed on the new framework.
Furthermore, the EU Commission has also published a citizen’s guide regarding how their rights will be ensured and how to address complaints if they consider that their rights have not been respected. Amongst others, EU citizens have the right to access the data an organization holds about them, to correct their data if this is inaccurate or incorrect, to have access to the different dispute resolution mechanisms, etc.
U.S. Secretary of Commerce Penny Pritzker also made a statement regarding the launch of the new framework: “After more than two years of discussions, it is time to implement the new EU-U.S. Privacy Shield Framework with our partners in Europe and companies on both continents. With the Privacy Shield in place, businesses will be able to protect privacy and truly seize the opportunities offered by the transatlantic digital economy. More than $260 billion in digital services trade is already conducted across the Atlantic Ocean annually, but there is significant potential for this figure to grow, resulting in a stronger economy and job creation. The Privacy Shield opens a new era in data privacy that will deliver concrete and practical results for our citizens and businesses.”
27. July 2016
The Article 29 WP issued on the 26th July a statement about the adopted EU-U.S. Privacy Shield. After its previous opinion on the Privacy Shield (opinion WP 238), the WP 29 welcomes the improvements brought by the final draft, but it remarks that there are still some concerns, already addressed in the Opinion WP 238, that have not been clarified yet.
Regarding commercial aspects, the Privacy Shield does not specifically address issues related to automated decision making or the general right to object. Furthermore, it is not clear the impact that the Privacy Shield shall have on data processors.
A further concern relates to the access to personal data by American public authorities. The WP 29 had expected stricter assurances that the institution of the Ombudsman is independent. Additionally, there are neither enough assurances, that a massive collection of EU citizens’ personal data will not take place.
Despite the lack of clarity in some aspects of this new framework, the WP 29 will wait until the first annual review takes place to assess the effectiveness of the EU-U.S. Privacy Shield. The result of the first annual joint review may also involve considering the effectiveness of Binding Corporate Rules and Standard Contractual Clauses.
19. July 2016
Recently, the European online newspaper POLITICO published an interview conducted with the two lead U.S. negotiators of the Privacy Shield: Justin Antonipillai, counselor to Commerce Secretary Penny Pritzker and acting undersecretary of commerce for economic affairs, and Ted Dean, a deputy assistant secretary in the department.
Antonipillai explained the EU-U.S. Privacy Shield as “a program to allow companies to transfer data from the EU to the U.S. in a way that meets requirements under European privacy laws”. He remarked that the main objective of the Privacy Shield is to make both, companies and EU citizens, confident that the requirements to transfer personal data are being meet.
He also explained how American and European different methodologies to ensure privacy and data protection have converged in order to agree on the Privacy Shield. According to Antonipillai, an important fact is that companies are certifying and following the principles voluntarily.
Dean also recognizes that the Privacy Shield may be challenged in court. But he adds that the current framework has been built up and discussed with EU Institutions and European DPAs and there is an interest from both sides on a long-term duration of the new framework. Finally, he stated that the impact of the “Brexit” on international personal data transfers cannot be predicted in advance.
