The European Commission has issued the legal texts that it is proposed will effect the EU-US Privacy Shield and seek to restore trust in transatlantic data flows. As previously reported (see here and here), the new framework is designed to reflect the requirements set out in the CJEU’s ruling in the Schrems case and will provide redress mechanisms in order to uphold the fundamental rights of EU citizens.
The documents released include the draft “adequacy decision” which will contain the Privacy Shield Principles with which all US companies relying on the Privacy Shield will have to comply, as well as written commitments by the US Government on the enforcement of the Privacy Shield.
The Privacy Shield:
- involves stronger and more transparent obligations on companies and contain effective supervision mechanisms;
- maintains that the US Government must provide written assurances that any access by public authorities of personal data for national security purposes will be subject to clear limitations, safeguards and mechanisms;
- includes a new requirement for companies to resolve complaints within 45 days;
- provides further details on how an Ombudsperson mechanism (independent from national security services) will work within the national security sphere of the US, to follow-up with complaints and enquiries by individuals;
- involves a system of annual re-certification whereby US companies will register to be on the Privacy Shield list and self-certify that they meet the requirements set out; and
- requires a review and public report on the Privacy Shield to be conducted on an annual basis by the European Commission and the US Department of Commerce.
The Article 29 Working Party (WP29) announced that it plans to adopt an opinion on the Privacy Shield at a meeting it has scheduled for 12 and 13 April in order to determine whether the Privacy Shield adequately addresses data protection concerns in light of the issues highlighted by the Schrems judgment. If the WP29 issues a positive opinion, a final decision on the Privacy Shield will be determined by the College of EU Commissioners.
As the Privacy Shield remains the subject of review, it is important for businesses that previously relied on Safe Harbor in respect of data transfers to the US to maintain alternative data transfer solutions such as standard contractual/model clauses in the meantime.