After two and a half years of negotiations, companies will be able to selfcertify their adherence to the Privacy Shield principles from 1 August 2016. This is a watershed moment for the fledgling replacement for the Safe Harbor Framework, which will facilitate transfers of personal data from the EU to the US. Although some uncertainty remains regarding possible challenges, it is expected that the Privacy Shield will become a key component in companies' strategies for creating compliant EU - US data flows.
Key Features of the Privacy Shield Framework
The Privacy Shield framework has four core components:
- obligations on companies - the Privacy Shield increases obligations on companies, particularly in relation to the publication of privacy statements and the onward transfers of data, and puts in place oversight and enforcement mechanisms to ensure compliance;
- safeguards and transparency regarding US government access - written assurance has been given by the US that any access by public authorities to personal data will be subject to clear limitations, safeguards, and oversight mechanisms. In addition, US authorities have confirmed the absence of indiscriminate mass surveillance;
- redress mechanisms for data subjects - the Privacy Shield framework includes multiple redress mechanisms for data subjects, including access to ADR processes and ultimately a binding
- arbitration process. In relation to US government access, an independent ombudsperson will address complaints; and
- on-going monitoring - an annual joint review mechanism will monitor the implementation of the Privacy Shield and provides a mechanism for updating the Privacy Shield where necessary.
Article 29 Working Party Committee Provides Tentative Approval
After initially expressing concern regarding some aspects of the Privacy Shield, the Article 29 Working Party Committee released a statement on 26 July 2016 endorsing the operation of the Privacy Shield, albeit with some reservations. The Working Party noted that it still believes that the protections regarding the automated processing of data and the general right to object to processing may be insufficient. It also expressed regret that concrete assurances regarding the bulk collection of personal data by public authorities have not been given. Having made these criticisms, the Working Party notes that the first annual review of the operation of the Privacy Shield will be a key moment to assess the viability of the framework, and seem to be indicating it will not challenge the validity of the Privacy Shield for at least 12 months.
Next Steps for Companies
In order to avail of the Privacy Shield, companies must self-certify adherence to the principles of the framework using the tool that will be provided at www. privacyshield.gov. As registrations are subject to processing by the US authorities, it may take a number of days before a registration appears on the Privacy Shield list, which will be made available at the same website. It will therefore be important for data controllers in the EU to ensure that the US counterparty to whom they are transferring personal data are listed on the Privacy Shield website before commencing any transfers.
The End of the Beginning
With the Privacy Shield finally becoming available, companies have the option to implement an additional mechanism to facilitate data transfers beyond the Model Clauses and Binding Corporate Rules. However, given the persistent criticism of the Privacy Shield in certain quarters, and the judgment in the Schrems case, it appears inevitable that the Privacy Shield will be subject to challenge sooner rather than later. In addition, there are likely to be future changes to the Privacy Shield framework in order to address the requirements of the GDPR and any issues identified in annual reviews. As such, it would be prudent for companies that intend to rely on the Privacy Shield to incorporate one of the other mechanisms for supporting transfers in their overall strategy for compliance with the transfer restrictions.