WELCOME TO CHARLES RUSSELL SPEECHLYS.
We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
Otherwise, we'll assume you are OK to continue. Please close this message
The Privacy Shield was designed by the U.S. Department of Commerce (DoC) and the European Commission (EC) for the purpose of enabling companies on both sides of the Atlantic to comply with EU data protection laws when transferring personal data from the EU to the USA. Apart from this purpose, the Privacy Shield may be useful more generally, for example, by positioning certified US organisations as the consumers’ choice when it comes to cloud services, social media or other “data-heavy” services, or as trusted importers of personal data from within the US or non-EU jurisdictions, such as Canada or Australia.
If you are wondering what is missing when compared to the principles in the Data Protection Act 1998, it is the requirement not to keep personal data for longer than necessary. This lack of data retention rules has also been mentioned by MEPs during the meeting of the European Parliament Committee on Civil Liberties, Justice and Home Affairs on 17 March 2016.
Organisations are encouraged to certify early and those that self-certify in the first two months will be granted a nine months’ implementation period to put in place transfer agreements.
EU citizens will have recourse if they suspect that their personal data is not processed in a compliant way. At first instance, they may file a complaint with the relevant PSO or invoke the independent free recourse mechanisms. They could also choose to complain to their local DPA, which will presumably become the preferred option for many. At the next level, EU citizens could initiate arbitration before an arbitration panel. Claims will be heard by arbitrators drawn from a pool agreed between EC and DoC. Awards will be subject to judicial review.
The Privacy Shield Ombudsperson at the States Department will oversee the implementation of the Privacy Shield and will ensure that complaints are investigated and remedied appropriately. At the regulatory level, DoC and FTC and other agencies (for example, the Department of Transport will oversee how Privacy Shield is implemented by airlines), will oversee how organisations comply with their Privacy Shield obligations.
In a similar context, the Judicial Redress Act which was passed earlier this year gives EU citizens the right to bring lawsuits against U.S. government agencies in U.S. courts in order to access, amend or correct certain records that U.S. agencies may be keeping about them or to seek redress for the unlawful disclosure of those records. However, recent cases of US citizens against agencies have failed due to lack of evidence and the lack of the courts’ power to force disclosure on the part of the agencies. It will be interesting to see how the Act will operate in practice and we wonder if another “Max Schrems” is already waiting for his/her chance to test it.
Safe Harbour was struck down in October 2015 amidst revelations about NSA spying. The successor Privacy Shield text was published on 23 February 2016 together with a draft adequacy decision for EC to consider. Currently, the Privacy Shield is under review by various European bodies, including Parliament, a committee of Member State representatives and the Article 29 Working Party, which is preparing an opinion on the draft adequacy decision.
According to European Digital Commissioner, Günther Oettinger, the Privacy Shield is expected to come into force in June, but this seems rather optimistic given the unresolved criticism which has been strongly voiced most recently at the meeting of the Parliament committee on 17 March 2016.
The draft adequacy decision relies on the reassurances given by the US President and the NSA that surveillance intelligence collection will always be "as tailored as feasible” , that targeted collection will be preferred over bulk collection and bulk collection will only be used when needed. This commitment has been described as “clear and unprecedented written assurance” from the US.
However, surveillance laws that allow US agencies to undertake the bulk collection of data, including ‘any information relating to US foreign affairs ’ in relation to foreign citizens remains in force. Only Congress could change it. The reassurance from the US government that these broad surveillance laws will be applied narrowly has perhaps rightly raised the question, “What will they [the reassurances] be worth if they are signed by President Trump?” . The ongoing debate suggests that changes may be proposed to the Privacy Shield and the negotiation is far from over.
Privacy Shield risks losing out against alternative transfer mechanisms, not least because national DPAs are starting to take action against companies which purport to rely on the now invalid Safe Harbour regime. European businesses have been forced to take action now and they most commonly revert to the following transfer mechanisms, both of which require implementation through relevant internal processes:
Given the availability of these mechanisms, and the need to take urgent action, one wonders what benefit, if any, Privacy Shield will bring for European businesses.
Privacy Shield will provide a paperwork-free transfer mechanism. However, given the lack of notification obligation on the part of US importers, it is likely that the European exporter will want to put in place an agreement to cover those missing obligations. However, does this not defeat the purpose of a paperwork-free Privacy Shield mechanism? Further, Privacy Shield will only cover EU-US transfers, whereas the above mentioned mechanisms also cover exports to other jurisdictions.
Furthermore, the Privacy Shield will not apply to organisations in the telecoms, insurance and banking sectors which are outside the jurisdiction of the FTC, a prerequisite to self-certification.
Finally, why would an organisation want to sign up to another set of rules enforced by the FTC, which is notorious for its strict approach?
To finish on a positive note, Privacy Shield is a great step forward for the US privacy landscape and we are yet to see how its benefits will translate into EU-US business and consumer relations on a practical level.
This article was written by Alexander Dittel. For more information please contact Alex on +44 (0)20 7427 6579 or at email@example.com