Update Privacy Shield

Brief recap

Data transfers from EEA and to the U.S. are permitted if the receiving company has been certified under the EU-U.S. Privacy Shield, adopted on 12 July 2016 by the European Commission. This self-certification mechanism is considered to provide adequate protection for the transfer of personal data to US companies, subject however to regular review. For more information on the EU-U.S. Privacy Shield, please see our Data Protection Alert on the adoption of the EU-U.S. Privacy Shield.

First annual review

On 18 October 2017, the European Commission (EC) published its report concerning its first annual review of the EU-US Privacy Shield. The objective of such reviews is to ensure that the privacy shield “ensures an adequate level of protection” for personal data transfers to the U.S.. The review covers all aspects of the Privacy Shield, among which its implementation, administration, supervision, and enforcement by the competent authorities and bodies.

Whilst the report concludes that the Privacy Shield is (for the time being) to be deemed adequate, it has provided a list of recommendations for further improvement, which include:

  • companies should not be able to publicly refer to their Privacy Shield certification prior to such certification being granted and their company being added to the Privacy Shield list;
  • the US Department of Commerce (DoC) should conduct regular and proactive searches for false claims of participation in the Privacy Shield which can weaken the credibility of the system;
  • the DoC should regularly monitor compliance with the Privacy Shield;
  • the national data protection authorities and the DoC should further strengthen their awareness-raising efforts;
  • the U.S. administration should confirm its political commitment to the Ombudsperson mechanism by filling the position of the Ombudsperson with a permanent appointee as soon as possible; and
  • the U.S. authorities should, timely and comprehensively, report to the EC any developments that could be of relevance for the Privacy Shield.

WP29 on the first annual review

On 28 November 2017, the Article 29 Data Protection Working Party (WP29) also released its opinion on the first review of the Privacy Shield (Opinion). The WP29 recognises the efforts made by US authorities to set up a comprehensive procedural framework to facilitate the functioning of the Privacy Shield. However, the WP29 also identified a number of significant concerns with respect to both the commercial as well as national security aspects of the Privacy Shield framework and emphasized that these need to be addressed within given timeframes. Should these concerns not be remedied, the WP29 ensures that its members will take appropriate legal action, such as challenging the validity of the Privacy Shield in front of national courts with the objective for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

Model Clauses

Brief recap

The EC has decided, on the basis of directive 95/46/EC, that certain standard contractual clauses offer sufficient safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals in relation to the exercise of corresponding rights (model clauses). Therefore, a company located within the EEA can transfer personal data to a company located outside of the EEA, if a data transfer agreement is in place between the two companies which incorporate the unmodified model clauses.

For the moment, three sets of standard contractual clauses are available: two for transfers from data controllers in the EEA to data controllers outside of the EEA, and one for transfers from data controllers in the EEA to data processors established outside of the EEA. Processor-to-processor model clauses were discussed, but never adopted.

Model clauses and transfers to the US

On 3 October 2017, the High Court of Ireland rendered a decision in The Data Protection Commissioner v. Facebook Ireland case, in which the High Court granted the request of the Irish Data Protection Commissioner for a reference to the CJEU for a ruling on the validity of the standard contractual clauses in relation to transfers of EU personal data to the US. The High Court is in the process of hearing the parties and determining the exact questions that it shall refer to the CJEU for a preliminary ruling.

If the CJEU decides to render the model clauses invalid, this could have a significant impact on companies that currently rely on this mechanism for transfers of personal data to the U.S..