The formal signingof the Privacy Shield marks a critical step in facilitating free-flowing,cross-border transfers of personal data for 4,500 large and small businesses inEurope and the US. The Privacy Shield aims to create a robust and livingframework tailored to the digital ecosystem of transatlantic data transfers forbusinesses and European data subjects alike.
As we previouslyreported (see hereand here), the Privacy Shield is the solution to a major challengeto transatlantic data transfers following the invalidation of the Safe Harborprogramme by the Court of Justice of the European Union (CJEU) 8 months ago.
The Privacy Shieldpromises robust and effective changes to the way in which enterprises transferpersonal data and the protections afforded to individual Europeans. Some of thekey features of the new scheme include:
- Ombudsman: there will now be a US-based independent ombudsman devoted to the protection of personal data held by European businesses. It has been reported that US official Cathy Novelli will be the first such ombudsman. The ombudsman will invoke the rights of access, erasure and rectification of personal data on behalf of individuals. This is a game-changer for EU-US data flows and will seek to address the CJEU’s concerns that ‘Safe Harbor’ did not provide adequate remedies for privacy violations.
- Government oversight: US companies will be in a position to apply to be registered as self-certified companies as of 1 August 2016 once they have met certain pre-conditions including having a dispute resolution mechanism and a compliant privacy statement in place. Crucially, they will also be regulated by the US Department of Commerce. An added advantage of this system will be that the data processing activities of US companies will be vetted independently, further cementing the protection of personal data protection.
- Ongoing monitoring & reviews: the Privacy Shield aims to provide an effective ‘living’ framework to safeguard data transfers from Europe to the US, allowing businesses to deal with the personal data of millions of individuals. It will also be subject to annual reviews by EU institutions and US officials to monitor the effectiveness of the mechanism and the commitments provided. European data protection authorities will also engage in ongoing monitoring on the effectiveness of this new framework.
The Privacy Shieldwill now be translated and published in the Official Journal of the EuropeanUnion. However, the path ahead may not be straightforward as legal challengesare expected. It is likely that the Privacy Shield will be referred to the CJEUfor an assessment as to the ‘adequacy’ of the Privacy Shield and whether itactually provides protection that is essentially equivalent to EU standards ofdata protection.
Businessesconsidering applying for the new scheme will be closely monitoring developmentsin the coming weeks and months particularly in light of the current Irish HighCourt case of Schrems II (see our previous article here).
Contributedby John Magee