European Commission releases Privacy Shield legal texts
Process EU data in the US? Time to re-write privacy policies.
This article was first published by Computing Magazine and is re-published here with the kind permission of the editors.
The European Commission has published the legal texts for the new EU-US data-privacy safeguards, the replacement for Safe Harbour dubbed Privacy Shield.
The new agreement was necessary after the European Court of Justice (ECJ) struck down the Safe Harbour agreement between the US and the European Union in October 2015. It claimed that Safe Harbour did not do enough to comply with the EU Data Protection Directive of 1995, which only allows transfers of EU citizens' data outside the bloc if the destination country ensures an "adequate" level of data privacy protection.
The adverse legal judgment gave the two blocs just months to thrash out a new deal that would govern the processing of personal data, addressing the ECJ's criticisms.
The Privacy Shield agreement is similar in many respects to the Safe Harbour agreement, with companies having the same obligations in relation to disclosure and security. However, the Privacy Shield adds the qualified right of EU citizens to access data about them that has been transferred.
A key new right is that companies processing personal data under the Privacy Shield will have to respond to individual complaints about their handling of that data within 45 days. They will also have to appoint an independent dispute resolution body to resolve complaints, and either provide appropriate recourse for no charge to the individual or opt-in to an "effective enforcement mechanism". A new Privacy Shield Ombudsman will be appointed to adjudicate on any complaints that arise.
"Like Safe Harbour, the Privacy Shield relies on companies self-certifying their compliance. That's sure to be controversial - Safe Harbour didn't have a good track record of self-certified companies complying with the commitments they made," said Phil Lee, a partner at law firm Fieldfisher and a data protection specialist who is based in Palo Alto, California, working with US companies on European data issues.
Lee continued: "Privacy Shield is, essentially, an amped-up version of Safe Harbour: it builds on very similar principles, but adds more details and controls. In many ways it bears a lot of similarities to Binding Corporate Rules, except that it relies on self-certification rather than regulatory authorisation and only allows transfers to the US rather than worldwide.
"Privacy Shield companies are going to need to revisit their existing privacy notices and contractual relationships with partners and vendors. Those will all need to be re-written and re-negotiated to meet Privacy Shield requirements."
Safe Harbour enabled more than 4,500 US companies to self-certify compliance with European Union data privacy regulations, legally enabling them to process the data of EU citizens in US data centres.
"Self-certification under the Safe Harbour removed many of the hurdles faced by US companies attempting to transfer data from EU member states under the directive - rather than having to comply with each individual member state's directive guidelines to transfer data, a US company was able to self-certify and bypass individualised compliance," according to the US National Law Review.
The invalidation of the agreement would have placed in doubt the legality of cross-border data transfers between the EU and the US, and would have complicated the businesses of organisations such as Facebook and Amazon. The ruling followed the EU Advocate General's opinion on Safe Harbour in September 2015, which suggested that changes would need to be made to the Safe Harbour agreement.
The draft Privacy Shield was concluded at the beginning of February and is intended to address the objections of the ECJ. It will now be scrutinised by EU data protection authorities who will make their (non-binding) recommendations to the ECJ. A final judgment is expected in June.