Tag: Safe Harbor

Trump’s Executive Order Impact on the Privacy Shield

8. February 2017

Background

The Court of Justice of the European Union has invalidated the U.S.-EU Safe Harbor framework (October 2015), which was replaced by the Privacy Shield on 12 July 2016.

Enhancing Public Safety in the Interior of the United States” (Executive Order) was issued by the US President Donald Trump on 25th January 2017. This act’s main aim was the immigration laws enforcement in the U.S.

In its Section 14 we may read: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

The so-called “Umbrella Agreement” (signed on 2nd December 2016) between the U.S. and EU, ensured the personal data transfers for law enforcement purposes. This agreement applies also to the pre-existing agreements between the U.S. and EU along with the various Mutual Legal Assistance Treaties (“MLATs”), Passenger Name Records Agreement, and Safe Harbor framework.

Part 19 of the Umbrella Agreement enables every European citizen to seek judicial review in case of an unlawfully disclosure individual’s personal data or denial of the right to access or amend the personal data in agency’s possession.

Before the Umbrella Agreement, there was no such legal possibility, although the Privacy Act of 1974 extended those rights to permanent residents of the U.S. and its citizens. EU would only agree with the Umbrella Agreement once U.S. extends protections to the European citizens under the Privacy Act, so that the U.S. is expected to comply with the Umbrellas Agreement Art. 19.

Moreover, in February 2016 the Judicial Redress Act was passed as the U.S. and EU got along with each other, which extended protections of the Privacy Act (disclosure, access, amendment) to citizens of “covered countries’’ (as named in the Judicial Redress Act).

On 17th of January 2017 Loretta Lynch (new former U.S. Attorney General) designated “covered jurisdictions’’ (as named in the Judicial Redress act) to include in the Judicial Redress Act all the EU Members apart from Denmark and the UK, which has become effective on 1st February.

The Attorneys General designation however, is not subject to administrative or judicial review (within the Judicial Redress Act).

Conclusion

Donald Trump’s Executive Order is believed not to affect the Judicial Redress Act (which is applicable law in the context of data transfers for law enforcement purposes) in terms of the Privacy Act rights to the European citizens extension, so as to say that the Executive Order should not impact Privacy Shield Framework’s legal viability.

Unresolved is still an aspect of “covered countries’’ designation, as the Judicial Redress Act includes a “covered countries’’ designations removal process, which is still subject of a dispute.

Statement of the WP29 on the “EU – U.S. Privacy Shield”

4. February 2016

After the Press Conference held by Věra Jourová and Andrus Ansip from the European Commission about the proposal for a new agreement between EU and U.S. to carry out international data transfers, the WP29 met on the 2-3 February in order to discuss the consequences of the sentence from the ECJ and the future of international data transfers between EU and the U.S.

The WP29 has remarked that the following four guarantees should be ensured when international data transfers take place:

a) Transparency: the data subject whose data is processed should be informed so that he/she is able to foreseen the consequences of the data transfer.

b) Proportionality and necessity: the finality for which personal data is collected and accessed and the rights of the data subject should be balanced.

c) Independency of a control body that carries out checks in an effective and impartial manner.

d) Effective remedies: the individual should have the possibility to defend his/her rights before an independent body.

The WP29 will also analyze the existing mechanisms to carry out international data transfers, which currently can only take place if Standard Contractual Clauses or Binding Corporate Rules (BCR) are used. In any case, European DPAs will examine data transfers on a case-by-case basis.

However, the WP29 is still looking forward to receive the relevant documents related to the EU – U.S. Privacy Shield in order to analyze its content and to determine to which extent the agreement is legally binding.

 

If you would like to be updated on a regular basis on this and other data protection issues such as the General Data Protection Directive (GDPR), sign in for one of our newsletters:

German / European Data Protection http://www.datenschutzticker.de/newsletter/ (German Language)

International Data Protection http://www.privacy-ticker.com/newsletter/ (English language)

For how to proceed with your companies´ policies on internal or external data protection transfers to third countries and prepare for the GDPR seek individual advice.

 

The “EU – U.S. Privacy Shield”, a new agreement for international data transfers

3. February 2016

After continuous negotiations during the last months to agree on a new framework for international data transfers, since the ECJ invalidated the Safe Harbor Decision, Andrus Ansip (EU Commission Vice-President) and Věra Jourová (Commissioner) announced yesterday in a Press Conference that a new agreement (EU – U.S. Privacy Shield) to carry out international data transfers has been reached.

Under the EU – U.S. Privacy Shield, the following elements will be regulated:

  • Several redress possibilities will be guaranteed to EU citizens when data transfers to U.S. take place and companies, as first redress possibility, will have deadlines to resolve complaints.
  • The resolution includes a “multi-layered” approach in order to avoid that any complaints remain unresolved by offering different resolution mechanisms. Also the European DPAs will have the possibility to refer complaints to the U.S. Department of Commerce and to the Federal Trade Commission.
  • Companies will be subject to strong obligations regarding the processing of personal data imported from EU Member States. Particularly, personal data processed for HR purposes in the U.S. will have to comply with the decisions of EU DPAs.
  • It will be ensured that national authorities only have access to personal data from EU citizens in exceptional cases and subject to the principles of necessity and proportionality.
  • The figure of the “ombudsman” will be created, in order to make possible that EU citizens can complain regarding surveillance activities by national authorities.

This new framework should be reviewed in an annual basis, so that the rights of EU citizens regarding data protection are continuously ensured. This is an important step forward in comparison with the invalidated Safe Harbor Decision.

Although the main points of this agreement have been discussed, the written draft may take up to three months, as Commissioner Věra Jourová said. The Working Party 29 will advise the College of Commissioners on this issue before adopting the official decision. Additionally, the agreement will have to withstand scrutiny from the ECJ.

Proposal to create a U.S. privacy “ombudsman” to verify Safe Harbor compliance

26. January 2016

In a context where the Safe Harbor Decision has been declared invalid and the General Data Protection Regulation has entered into force, the European and American competent authorities are negotiating further mechanisms to carry out international data transfers in compliance with the current legislation.

According to Reuters, the U.S. has proposed creating the institution of the “ombudsman” as a component of the State Department. This institution shall handle with complaints from EU citizens regarding surveillance activities from American authorities,.verify that this surveillance activities are proportionate and that personal data transferred from the EU is accessed only in cases where national security is involved. However, EU negotiators have requested further details about this institution before the proposal is accepted.

Both negotiating parties, EU and U.S. authorities aim at reaching an agreement about the continuity and the legal basis to carry out data transfers to the U.S. by the beginning of February.