The European Commission's adequacy decision in relation to the new rules on transfer to the United States of the data of data subjects who are citizens of the European Union – the EU-US Privacy Shield ("Privacy Shield") – was published on 12 July 2016. The Privacy Shield creates a self-certification system for US companies that wish to process data of European Union citizens. Its objective is to facilitate the transfer of data and, at the same time, impose stricter obligations on companies to protect the rights of the citizens in question.
I.EU-US PRIVACY SHIELD
The new rules introduced by the Privacy Shield follow the earlier decision of the Court of Justice of the European Union, which declared that the European Commission's adequacy decision in respect of the Safe Harbour privacy principles was invalid. The Safe Harbour principles allowed the transfer of personal data from the European Union to the United States.
The Privacy Shield is based on a self-certification system, by which American organisations undertake to respect a set of principles relating to the privacy of personal data they receive from the European Union.
Among others, the principles require companies to provide essential information to the data subject, to limit the data processing to specific purposes and to provide mechanisms to oversee compliance with the principles. They also establish what data subjects can do to seek redress if their data is processed illegally.
II. ADEQUATE LEVEL OF PROTECTION
The European Commission considers that the Privacy Shield principles will allow American companies that sign up to them to guarantee an adequate level of protection of personal data they receive from the European Union. The Privacy Shield guarantees that:
There will be effective protection of the rights of data subjects;
- There will be greater transparency in all processes to transfer personal data, and in the certification of American companies;
- Any access by the US authorities to the personal data that is transferred will be limited to very specific situations connected with national security. Oversight and redress mechanisms are established to safeguard the interests of data subjects, and to exclude the possibility of indiscriminate access to, or mass surveillance of this data;
- American companies that do not comply with the rules will be sanctioned and may ultimately face loss of their certification;
- Onward transfers of personal data will be limited to exceptional situations and there will be guarantees to ensure that data subjects will receive the same level of protection when an onward transfer occurs. These protections apply regardless of whether the data is transferred on to a third party processor or a third party controller, and regardless of whether they are transferred onwards within or outside the United States.
The Privacy Shield establishes improved remedial/compensatory mechanisms for data subjects:
- American companies that process data will be required to respond to complaints addressed to them by data subjects within 45 days;
- Alternatively, data subjects may resort to a designated independent alternative dispute resolution body (which may be located in the United States when the European Union). The use of any such mechanism is free of charge;
- Data subjects can also go to their national data protection authority within the European Union (in Portugal's case, the CNPD), which will cooperate with the American authorities to find solutions to any complaints received, guaranteeing an appropriate investigation and a fast decision;
- As a last resort, data subjects may go to arbitration to be decided by the Privacy Shield Panel, which is made up of three arbitrators chosen from a list created by the US Department of Commerce and the European Commission, to guarantee an enforceable decision.
An annual joint review mechanism is established and the review will be conducted by the European Commission, the US Department of Commerce, and European and American national security experts. They will check whether the Privacy Shield principles are being respected and discuss issues relating to access to personal data by public authorities. A public report will be produced on the basis of this joint review and any other information considered relevant, and it will be sent to the European Parliament and the Council.
V. PRACTICAL CONSEQUENCES
The adequacy decision will have consequences for American companies that wish to process data whose data subjects are citizens of the European Union, and for these citizens, as follows:
- Among others, American companies will have to (i) provide annual self-certification, guaranteeing that they are complying with the principles and requirements of the Privacy Shield on the transfer processing and protection of personal data, (ii) publish this certification and their privacy policies, as well as any necessary alterations; (iii) respond, as quickly as possible and certainly within 45 days of receipt, to any complaints addressed to them by data subjects, and (iv) comply with any instructions given to them by the American authorities and to cooperate with the European authorities to protect data in the investigation and resolution of any complaints made to these authorities.
- European Union citizens will benefit (i) from greater transparency, security and protection in transfers of their personal data to the United States, and from (ii) a faster and free or less-expensive process to address complaints and to respond / provide compensation for losses.
The US Department of Commerce began to accept applications for certifications from American companies under the Privacy Shield on 1 August 2016. It remains to be seen whether the European Commission's adequacy decision will remain in place, or whether the Court of Justice of the European Union will challenge the effectiveness and/or sufficiency of these principles to guarantee an adequate level of protection for personal data transferred out of the European Union, as it did with Safe Harbour.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.