The European Commission yesterday issued an adequacy decision adopting the EU-US Privacy Shield, which
replaces Safe Harbor as a framework for protecting European data
transferred to the United States. Adoption had been expected since
the European Commission announced on Friday that Member States had
given their "strong support" to the new framework
(although we note that Austria, Bulgaria, Croatia and Slovenia
abstained from voting).
Are there any final changes?
There have been some tweaks to the Privacy Shield regime since
the draft adequacy decision was issued in February. These
clarifications on the bulk collection of
data. In particular, the Office of the Director of
National Intelligence has clarified that the bulk collection of EU
data can only be used under specific preconditions and must be
"as targeted and focused" as possible;
introducing more explicit
obligations on companies as regards limits on
retention and collection of data. Specifically,
companies now have to delete data that no longer serves the purpose
for which it was collected; and
Ombudspersonmechanism. In its
press release, the Commission makes clear that the Ombudsperson is
independent from the US intelligence
What were the criticisms?
The changes are intended to address a critique of Privacy Shield
issued in April by European data protection regulators (aka the
Article 29 Working Party), which concluded that Privacy Shield
– while a huge improvement on Safe Harbor – still did
not meet EU privacy standards. This was largely because:
massive and indiscriminate data
collection by American authorities was still not fully
the Privacy Shield lacked an explicit
data retention principle; and
the powers and independent position
of the Ombudsperson (who deals with national security-related
complaints) were not made clear.
What does the future look like for Privacy Shield?
The Commission's tweaks will address the A29WP's
concerns to some degree, but that mightn't be enough to keep
the privacy wolves at bay.
Privacy Shield may well be subject to a future challenge on the
basis of "equivalence" with EU law, and it will almost
certainly undergo further A29WP review. Potential issues remain,
such as the fact that Privacy Shield (like Safe Harbor) is largely
self-certified. Indeed, one of the main privacy advocates in the
European Parliament (MEP Jan Philipp Albrecht) commented that the
European Commission has "just signed a blank cheque for the
transfer of personal data of EU citizens to the US, without
delivering equivalent data protection rights". Max Schrems has
said he will challenge it.
In the medium term, inconsistencies between Privacy Shield and
the upcoming GDPR requirements could also limit Privacy
Shield's shelf life. Therefore, the climate seems ripe for
challenge. Max Schrems has also sought to challenge model clauses
in an application by the Irish DPA to the Irish High Court.
Privacy observers will also be keeping an eye on how Brexit
plays out: will the UK find itself negotiating its own form of
Privacy Shield to ensure EU adequacy?
Even so, Privacy Shield will be a valid solution for transfers
to the US. American companies may begin to self-certify with the US
Commerce Department from 1 August, and we expect to see many large
US vendors taking up this option. Microsoft has concluded on its official blog that the Privacy Shield
"meets each of [the] requirements...of... European data
Dentons is the world's first polycentric global law firm. A
top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm
is committed to challenging the status quo in delivering consistent
and uncompromising quality and value in new and inventive ways.
Driven to provide clients a competitive edge, and connected to the
communities where its clients want to do business, Dentons knows
that understanding local cultures is crucial to successfully
completing a deal, resolving a dispute or solving a business
challenge. Now the world's largest law firm, Dentons'
global team builds agile, tailored solutions to meet the local,
national and global needs of private and public clients of any size
in more than 125 locations serving 50-plus countries.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
L’evento, organizzato in collaborazione con AIGI, Associazione Italiana Giuristi d’Impresa, approfondirà le novità del Decreto Legislativo n. 3/2017, entrato in vigore lo scorso 3 febbraio, che recepisce la Direttiva 2014/104/UE sul private enforcement.
Cosa cambia in concreto con la nuova disciplina in materia di azioni di risarcimento del danno derivante da intese anticoncorrenziali ed abusi di posizione dominante? Quali sono i rischi e le opportunità per le imprese?
Ne discuteranno i nostri partner Sara Biglieri e Michele Carpagnano con uno straordinario panel di giuristi d’impresa.
Daniel Vázquez, head of the environmental law department in the Madrid office, will be a speaker in the Aqua Energy Forum that will take place in Madrid from the 23th to the 24th of March. This Conference will give voice to the best specialists, creating a forum for discussion of special interest to professionals in the energy and environmental sectors.
Amongst the attendees there will be CEOs, managers and technicians from: companies which activity consist in either supplying, distributing, sanitizing or reusing energy, gas and water; associations and organizations related to water management; equipment manufacturers; companies developing their activity in the reuse, desalination and renewable energy segments; companies interested in the sustainable development objectives; Start-ups dedicated to this sector and NGOs.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).