On 12 July 2016, the European Commission and the US Department of Commerce approved the EU–US Privacy Shield. This replaces the Safe Harbour Framework that was annulled by the judgment of 6 October 2015 of the Court of Justice (see Eubelius Flash 6 October 2015). The Privacy Shield is a new instrument for data transfers to the United States, although some critical voices fear that it will be short-lived.
What will change with the Privacy Shield?
The Privacy Shield (for the text: see here and here) offers companies an additional option for sending data to the United States. It coexists with existing instruments such as standard contractual clauses of the European Commission (regarding which the Irish Data Protection Authority has announced its intention to refer a case to the Court of Justice), ad hoc contracts and binding corporate rules.
The Shield works, just like the former Safe Harbour Framework, through self-certification, but stricter conditions must be complied with in order to qualify for it. The main differences compared with the Safe Harbour Framework are:
- heavier obligations on data importers (e.g. in respect of information in privacy policies);
- stricter conditions for onward transfers of data;
- limitations and safeguards for access by US authorities;
- regular inspections of certified companies to ensure compliance with the Shield and penalties for non-compliance; and
- an obligation to provide accessible and affordable dispute resolution for data subjects.
How can one obtain certification?
The US Department of Commerce has launched a website on which companies can register for the Shield. This certification must be renewed every year.
Since 1 August 2016 some 40 companies have signed up.
What does the future hold for the Privacy Shield?
On 26 July 2016, the Article 29 Working Party issued a statement in which it welcomed the improvements of the Shield, but at the same time voiced its continuing concerns with regard to some aspects, such as access to personal data by public authorities.
WP29 stated that it will reassess the Privacy Shield in one year's time so that the Shield will have at least a year to prove its effectiveness. Whether the Privacy Shield will succeed is highly questionable. The Hamburg privacy commission has already announced its intention to take legal action. And Max Schrems, who filed the complaint that was at the basis of the annulment of the Safe Harbour Framework, had a less-than-flattering opinion of the Shield. He described it as "putting 10 layers of lipstick on a pig".
To be continued…
