17 Aug European Commission Adopts EU-US Privacy Shield
The EU has published the EU-US Privacy Shield. This will have impact on many IT and technology companies dealing with cross border data transfer. It is likely also to affect UK businesses dealing with the EU and the US.
Privacy Shield Principles
Companies that participate must adhere to the following principles, which are largely based on the Safe Harbor principles, although requirements around implementation have been enhanced:
- Accountability for onward transfer.
- Data integrity and purpose limitation.
- Recourse, enforcement, and liability.
Companies must also adhere to 16 supplemental principles, where applicable (see Annex II to the Commission decision).
The Privacy Shield mirrors the requirements set out by the ECJ in the Schrems ruling, and other EU data protection bodies concerns.
Oversight and Supervision of participating companies
The new deal sets up a more transparent arrangement with effective supervision mechanisms, including regular compliance monitoring of participating companies. Non-compliant companies may face real sanctions and removal from the Privacy Shield list.
It will also ensure that companies that cease to be members of the Privacy Shield arrangement continue to apply the principles to data received under the arrangement, for as long as it is retained, thus creating surviving obligations that would practically impact the businesses.
Where participating companies transfer data to third parties, an obligation arises to ensure that the third party provides the same level of protection as the participating company. The third party is also obliged to inform the participant company if it can no longer ensure that level of protection and measures must then be taken by the company to address this.
Limitations on data retention are explicit, requiring companies to keep personal data only as long as this serves the purpose for which it was collected.
Redress mechanisms for EU citizens
EU citizens now have multiple avenues to address concerns about how their data is processed under the Privacy Shield, as follows:
- Resolution by the participant company. Participant companies must reply to complainants within 45 days. Where human resources data is handled, they must comply with the advice of the competent European data protection authority (DPA).
- Alternative Dispute Resolution (free of charge). Participant companies may sign up to this as one of the required redress options. Their privacy policies must contain information on their chosen independent dispute resolution provider and provide a link to its website, a requirement which the DOC will verify.
- EU DPA. A citizen may refer a complaint to their “home” DPA, which will feed these to the DOC, who must respond within 90 days, or to the Federal Trade Commission (FTC) if the DOC cannot resolve the complaint. The FTC has committed to prioritise complaints from individuals.
- Privacy Shield Panel (Arbitration). Available as a last resort, this panel can issue binding decisions on participant companies. “Consumer friendly” features include no cost, video conferencing participation and free of charge translation and interpretation.
- Ombudsperson for national security related complaints. The Ombudsperson will be independent from the US intelligence community. Individuals will be informed if their matter has been properly investigated and whether or not US law has been broken and if so, whether this has since been remedied.
Vera Jourová, Commissioner for Justice, Consumers and Gender Equality has stated that the Privacy Shield brings “stronger data protection standards that are better enforced, safeguards on government access and easier redress for individuals in case of complaints“.
The European Commission heralds the Privacy Shield launch by claiming that it transforms the system from a self-regulating one into an oversight system. EU citizens are to benefit from greater transparency as to how their transferred data is used and from easier and cheaper redress options, in comparison to the previous Safe Harbor regime. US companies that decide to participate in the new regime will face more compliance obligations.
As the UK is due to leave the EU soon, the Privacy Shield may appear not be as relevant to UK businesses further down the line. However, if, for example, the UK were to become part of the EEA upon exiting the EU, it could continue to avail of the Privacy Shield in due course. In any event UK operations dealing with the EU after Brexit are expected to still comply with the DPA.