Following the ruling of the European Court of Justice in October 2015 which declared the Safe Harbour framework invalid, the European Commission has now announced its adoption of an adequacy decision approving the new EU-US Privacy Shield.
So what does this mean in a commercial context?
From 1 August 2016, US companies can self certify on an annual basis with the US Department of Commerce that they meet the Privacy Shield requirements. This should then allow data transfers from data controllers and/or processors within the EU to those self-certified companies within the US. In theory at least, this should provide clarity for businesses and enable more fluid and transparent data flows across the Atlantic.
Vera Jourova, the Commissioner for Justice, Consumers and Gender Equality has said that it is ‘robust’ and that it will ‘ensure legal certainty for businesses’ and that it ‘brings stronger data protection standards that are better enforced, safeguards on government access and easier redress for individuals in case of complaints.’
Essentially, Privacy Shield is intended to tighten up the old Safe Harbour regime and makes a start on reflecting more accurately the forthcoming change in Data Protection legislation. Regular reviews of participating companies will be undertaken by the US Department of Commerce with potential penalties of sanctions or removal from the list of companies in the event they do not comply. Individual EU citizens will also have their rights better protected with a range of cheaper and easier options available to them in the event they suspect their data has been misused.
Not surprisingly, Privacy Shield has received a mixed response. Some tech based companies have welcomed the decision whilst others privacy experts have issued some criticism. The Article 29 Working Party has since issued a statement saying that ‘it welcomes the improvements brought by the Privacy Shield mechanism compared to the Safe Harbour decision’ but that it expresses some concerns and requests further clarifications. For instance, it regrets the lack of specific rules on automated decisions and of a general right to object. It also requests further clarity on the way in which the Privacy Shield will apply specifically to data processors.
It remains to be seen just how effective Privacy Shield will be and whether any ECJ challenge to its validity will arise. No doubt this will become clear over time, further issues may be raised following the first joint annual review and subsequent negotiations are likely to accommodate the imminent changes brought about by the Data Protection Regulation. However, despite existing criticism and apprehension, it is likely that businesses and former Safe Harbour participant companies will welcome a new framework they can legitimately rely on.
In reality, and for many companies, standard contractual clauses such as those approved by the Information Commissioner’s Office will have been put in place and will probably continue to be used unless there are strong commercial reasons for change, or perhaps at least until there is more concrete evidence to suggest that the EU-US Privacy Shield is effective. And of course, as the UK is shortly to leave the EU (and unless it subsequently joins the European Economic Area) it may not be quite so relevant to UK businesses in the future…
If you wish to know more about the above or any other privacy related issues, please do contact me.
Comments