With the adoption of the EU-U.S. Privacy Shield the legal limbo for the trans Atlantic data transfer is over. The EU-U.S Privacy Shield replaces the Safe Harbour arrangement that the European Court of Justice in October 2015declared invalid. So, how does the Privacy Shield work?
How the Privacy Shield works
The new regime provides U.S. companies with the means to comply with EU data protection laws when transferring personal data from the European Union to the United States.
The Privacy Shield is designed to protect the fundamental rights of European individuals. The new data sharing rules apply to the transfer of personal data from Europe to the U.S.
Internet companies wanting to transfer data from Europe to the US can do so by self-certifying that they will comply with the Privacy Shield Principles. The decision to join the Privacy Shield programme is voluntary.
Once an organisation decides to adhere to the Privacy Shield Principles through self-certification, it is bound to do so and such commitment is enforceable under U.S. law.
Companies will be able to self-certify with the U.S. Department of Commerce from 1 August 2016.
Compliance with the Privacy Shield Principles requires for instance that organisations:
- inform their users of their rights to access their personal data;
- limit their collection of personal information to information that is necessary for the purposes of processing;
- comply with the new data retention principle;
- provide a free complaint service; and
- respond to a complaint within 45 days.
New data-sharing rules may end up in court again
The development is quite interesting because both the Article 29 Working Group and the European Data Protection Supervisor (EDPS) raised fundamental concerns about the quality of data protection provided for under the EU-U.S. Privacy Shield. The European Commission was not bound by the recommendation of the Article 29 Working Group or the EDPS but it is concerning that the European Commission did not address their concerns at all.
It is likely that the new data-sharing rules for EU and US will be tested in court; just like its predecessor.