Following the invalidation of the 'Safe Harbor'
programme by the Court of Justice of the European Union
("ECJ") in October 2015 and after months of negotiations
between the EU and US, the European Commission formally adopted
'Privacy Shield' on 12 July 2016. Privacy Shield is
designed to replace the Safe Harbor programme and to facilitate the
continued flow of personal data as between the EU and the US.
However, transatlantic data flows face further legal scrutiny in
the context of the current Irish High Court case of 'Schrems
Key features of Privacy Shield
US companies will be able to self-certify their compliance with
Privacy Shield from August 1st 2016 once certain pre-conditions
have been met, including:
having a dispute resolution mechanism in place.
As with Safe Harbor, only companies that are subject to the
jurisdiction of the US Federal Trade Commission or the US
Department of Transportation are eligible to participate in Privacy
Shield. The US Department of Commerce ("DOC") has
established a Privacy Shield team to assist with enquiries as to
eligibility for self-certification. The DOC will conduct regular
reviews of participating companies to ensure compliance with the
principles contained in Privacy Shield.
There are several options under Privacy Shield for an individual
who believes that his/her data has been misused including:
making a complaint directly to the company itself who must
respond within 45 days;
making a complaint to the national data protection authority in
Europe who will work with US authorities to investigate complaints;
accessing a free alternative dispute resolution mechanism as
nominated by the company.
A Privacy Shield Panel with 'consumer-friendly' features
(e.g. no cost, possibility to participate by video-conference, free
of charge translation and interpretation) has also been created
which will act as a last-resort arbitration mechanism for
complaints. The Panel will be drawn from a pool of arbitrators
designated by the DOC and the European Commission.
US Government commitments
The White House has given commitments that the data flowing from
the EU to the US will not be subject to indiscriminate mass
surveillance. In addition, there will be a US-based independent
ombudsman who will be responsible for invoking the rights of
individuals in circumstances where they believe their personal data
has been unlawfully used by US security agencies.
Although Privacy Shield provides a solution to the challenge of
international data transfers following the invalidation of the Safe
Harbor programme, there is a possibility that it will be challenged
by privacy activists or European Data Protection Authorities by way
of a referral to the ECJ for an assessment as to whether it
actually provides protection to the standards imposed under EU law.
Pending the outcome of such an assessment, the ability of Privacy
Shield to serve as a reliable long-term method for data transfers
is in some doubt. A decision invalidating Privacy Shield would
leave companies that had self-certified under Privacy Shield
scrambling to implement model clauses contracts (or other
mechanisms) in order to continue importing personal data from the
"Schrems II" High Court case
The invalidation of Safe Harbour by the ECJ occurred as a result
of a complaint made by Austrian lawyer Max Schrems in relation to
the transfer of his data from Ireland to the US by Facebook under
the Safe Harbor framework. Mr. Schrems subsequently made a
complaint to the Irish Data Protection Commissioner in relation to
the use by Facebook of model clauses contracts for transfers of
data between Ireland and the US.
The Irish Data Protection Commissioner, in a draft finding,
concluded that Mr. Schrems had raised "well-founded"
objections to the validity of model clauses contracts. When a
"well-founded" decision is reached, the next step for the
Commissioner is to seek to have the ECJ decide the issue, by way of
a referral from the Irish High Court. The High Court case is
ongoing but if a referral is made by the High Court, the ECJ will
be asked to make a decision on whether the transfer of data to the
US could mean that it can be processed and accessed in a manner
that is inconsistent with the Charter of Fundamental Rights of the
EU. Given the significant ramifications of the case, a number of
organisations have successfully applied to join the case as amicus
curiae, including the US Government.
EU businesses engaging in trade with the US will be following
the Schrems II case and future developments in respect of Privacy
Shield with interest.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 12 August 2016, the Cyberspace Administration of China (CAC), the General Administration of Quality Supervision, the Inspection and Quarantine of China (GAQSIQ), and the Standardisation Administration of China (SAC) jointly released Several Guidelines to Strengthen National Cybersecurity Standardisation (the "Guidelines").
Face recognition technology to help "tag" friends in photographs, fingerprint recognition to unlock smartphones, and fingerprint door locks are just some of the ways in which biometric data has been used in recent years.
European Union privacy regulators have been urging Google to refine its privacy policies for quite some time.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).