The European Commission yesterday issued an adequacy decision adopting the EU-US Privacy Shield, which
replaces Safe Harbor as a framework for protecting European data
transferred to the United States. Adoption had been expected since
the European Commission announced on Friday that Member States had
given their "strong support" to the new framework
(although we note that Austria, Bulgaria, Croatia and Slovenia
abstained from voting).
Are there any final changes?
There have been some tweaks to the Privacy Shield regime since
the draft adequacy decision was issued in February. These
clarifications on the bulk collection of
data. In particular, the Office of the Director of
National Intelligence has clarified that the bulk collection of EU
data can only be used under specific preconditions and must be
"as targeted and focused" as possible;
introducing more explicit
obligations on companies as regards limits on
retention and collection of data. Specifically,
companies now have to delete data that no longer serves the purpose
for which it was collected; and
Ombudspersonmechanism. In its
press release, the Commission makes clear that the Ombudsperson is
independent from the US intelligence
What were the criticisms?
The changes are intended to address a critique of Privacy Shield
issued in April by European data protection regulators (aka the
Article 29 Working Party), which concluded that Privacy Shield
– while a huge improvement on Safe Harbor – still did
not meet EU privacy standards. This was largely because:
massive and indiscriminate data
collection by American authorities was still not fully
the Privacy Shield lacked an explicit
data retention principle; and
the powers and independent position
of the Ombudsperson (who deals with national security-related
complaints) were not made clear.
What does the future look like for Privacy Shield?
The Commission's tweaks will address the A29WP's
concerns to some degree, but that mightn't be enough to keep
the privacy wolves at bay.
Privacy Shield may well be subject to a future challenge on the
basis of "equivalence" with EU law, and it will almost
certainly undergo further A29WP review. Potential issues remain,
such as the fact that Privacy Shield (like Safe Harbor) is largely
self-certified. Indeed, one of the main privacy advocates in the
European Parliament (MEP Jan Philipp Albrecht) commented that the
European Commission has "just signed a blank cheque for the
transfer of personal data of EU citizens to the US, without
delivering equivalent data protection rights". Max Schrems has
said he will challenge it.
In the medium term, inconsistencies between Privacy Shield and
the upcoming GDPR requirements could also limit Privacy
Shield's shelf life. Therefore, the climate seems ripe for
challenge. Max Schrems has also sought to challenge model clauses
in an application by the Irish DPA to the Irish High Court.
Privacy observers will also be keeping an eye on how Brexit
plays out: will the UK find itself negotiating its own form of
Privacy Shield to ensure EU adequacy?
Even so, Privacy Shield will be a valid solution for transfers
to the US. American companies may begin to self-certify with the US
Commerce Department from 1 August, and we expect to see many large
US vendors taking up this option. Microsoft has concluded on its official blog that the Privacy Shield
"meets each of [the] requirements...of... European data
Dentons is the world's first polycentric global law firm. A
top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm
is committed to challenging the status quo in delivering consistent
and uncompromising quality and value in new and inventive ways.
Driven to provide clients a competitive edge, and connected to the
communities where its clients want to do business, Dentons knows
that understanding local cultures is crucial to successfully
completing a deal, resolving a dispute or solving a business
challenge. Now the world's largest law firm, Dentons'
global team builds agile, tailored solutions to meet the local,
national and global needs of private and public clients of any size
in more than 125 locations serving 50-plus countries.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The event is going to take place on 26 April 2017 and is addressed to participants of the Berlin Real Estate sector, in particular those dealing with redensification such as investors, developers, brokers, urban housing associations and engineers.
The employment landscape is one that is constantly shifting. Employers who fail to keep up with the changes do so at their peril.
This seminar is designed to help in-house counsel and HR practitioners get to grips with key recent and forthcoming developments in employment, pensions and immigration law and practice and what they mean for your workforce.
While companies prepare for the EU General Data Protection Regulation (GDPR) to take effect in May 2018, another highly significant item on the agenda is arguably the current review process of the proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation).
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).