Data protection: US privacy shield
The EU published the draft text of the much-anticipated “Privacy Shield” deal on 29 February. This was amended following criticisms and the revised text was formally adopted by the European Commission on 12 July 2016. Companies have been able to certify with the US Department of Commerce since 1 August 2016.
Following concerns about the February draft, in particular that it did not adequately remedy the problem of US authorities’ ability to collect EU citizens’ data in bulk, the adopted text contains amendments aimed at remedying concerns raised with the February draft and clarifying the scope of protection. These include stronger obligations on US companies to protect personal data, such as greater transparency, increased monitoring/compliance, and more explicit redress mechanisms. Other key elements include:
- the Privacy Shield will also apply to the three European Economic Area (EEA) states which are not part of the EU (Iceland, Lichtenstein, and Norway)
- US authorities will only be permitted to conduct bulk surveillance in exceptional circumstances, and that bulk collection must be “as targeted and focused” as possible
- there are now rules on data retention, meaning that US companies will be required to delete data they hold which becomes redundant for the purpose for which it was collected. Exceptions to this principle are limited
- any contract between a Privacy Shield organisation and a third party organisation must require the third party organisation to inform the Privacy Shield organisation when it is no longer able to
meet the standards required under the Privacy Shield
- the US has agreed that the ombudsperson will be independent from US national security and intelligence services and will operate without interference from such organisations.
Why is this important?
Companies are once again allowed to lawfully transfer personal data from the EEA to US businesses (if they’re certified) without the complexity of a web of “Model Clauses” and/or the limited use of Binding Corporate Rules.
Any practical tips?
Don’t relax on international data transfers, just because the new Privacy Shield is now in place. On a practical level, even if the US party is newly certified, the data it processes will still be flowing beyond its corporate borders to third parties – and note that there is nothing on how third parties (who are not Privacy Shield certified) are meant to assess if they meet the standards or not (see fourth bullet above).
On a more general level, keep an eye on The Model Contract Clauses. The Irish Data Protection Commissioner recently referred (25 May 2016) questions on the adequacy of the Model Contract Clauses to the Irish Courts with the recommendation that the case is settled at the CJEU. Throw in the consequences of Brexit (eg will the UK be “white-listed, or have its own UK Privacy Shield?) and the foundations of international data transfers still feel relatively unstable.