EU-US Privacy Shield Agreement Signed
The EU-US Privacy Shield Agreement has been formally adopted by EU and US officials
The formal signing
of the Privacy Shield marks a critical step in facilitating free-flowing,
cross-border transfers of personal data for 4,500 large and small businesses in
Europe and the US. The Privacy Shield aims to create a robust and living
framework tailored to the digital ecosystem of transatlantic data transfers for
businesses and European data subjects alike.
As we previously
reported (see here
and here), the Privacy Shield is the solution to a major challenge
to transatlantic data transfers following the invalidation of the Safe Harbor
programme by the Court of Justice of the European Union (CJEU) 8 months ago.
The Privacy Shield
promises robust and effective changes to the way in which enterprises transfer
personal data and the protections afforded to individual Europeans. Some of the
key features of the new scheme include:
- Ombudsman: there will now be a US-based independent ombudsman devoted to the protection of personal data held by European businesses. It has been reported that US official Cathy Novelli will be the first such ombudsman. The ombudsman will invoke the rights of access, erasure and rectification of personal data on behalf of individuals. This is a game-changer for EU-US data flows and will seek to address the CJEU's concerns that 'Safe Harbor' did not provide adequate remedies for privacy violations.
- Government oversight: US companies will be in a position to apply to be registered as self-certified companies as of 1 August 2016 once they have met certain pre-conditions including having a dispute resolution mechanism and a compliant privacy statement in place. Crucially, they will also be regulated by the US Department of Commerce. An added advantage of this system will be that the data processing activities of US companies will be vetted independently, further cementing the protection of personal data protection.
- Ongoing monitoring & reviews: the Privacy Shield aims to provide an effective 'living' framework to safeguard data transfers from Europe to the US, allowing businesses to deal with the personal data of millions of individuals. It will also be subject to annual reviews by EU institutions and US officials to monitor the effectiveness of the mechanism and the commitments provided. European data protection authorities will also engage in ongoing monitoring on the effectiveness of this new framework.
The Privacy Shield
will now be translated and published in the Official Journal of the European
Union. However, the path ahead may not be straightforward as legal challenges
are expected. It is likely that the Privacy Shield will be referred to the CJEU
for an assessment as to the 'adequacy' of the Privacy Shield and whether it
actually provides protection that is essentially equivalent to EU standards of
data protection.
Businesses
considering applying for the new scheme will be closely monitoring developments
in the coming weeks and months particularly in light of the current Irish High
Court case of Schrems II (see our previous article here).
Contributed
by John Magee
Back to Legal News