- The Privacy Shield will now go into effect.
- The preliminary start date for companies to be certified under the Privacy Shield is August 1, 2016.
- Expect more challenges to the Privacy Shield before all is said and done.
Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case, the European Commission negotiated with the US a new scheme called the Privacy Shield. The first draft was issued in February and submitted to the Article 29 Working Party, which gave its opinion on April 13, 2016. The EU data protection Supervisor then issued his opinion on May 30, 2016. In view of the objections raised, the Commission resumed its work with the US authorities to improve the scheme. The final draft was submitted to the Article 31 Committee composed of representatives of all Member States and was approved by that Committee on July 8. On July 12, the Commission officially adopted the Adequacy Decision, agreeing that there is an adequate level of protection for personal data transferred from the EU to the US in the Privacy Shield.
The Privacy Shield consists of the Commission decision and various Annexes. The so-called Privacy Shield Principles are set out in Annex II. This is the most important document for businesses, since it explains their obligations under the Privacy Shield. These obligations are similar to those under current EU privacy law and cover the following topics:
- notice to the data subject
- accountability for onward transfer
- data integrity and purpose limitation
Entities wishing to certify under the new scheme will have to adapt their privacy policies to these rules. The other Annexes deal with the recourse of data subjects (including an Ombudsperson and an arbitration panel, which did not exist under the old Safe Harbor) and the access to personal data by national surveillance authorities.
Old and New Drafts Compared:
Given the fairly strong objections raised by the Article 29 Working Party and the European data Protection Supervisor, it is of course tempting to compare the new draft with the old one.
A difference which is easy to spot is that in February, the Commission was a bit too confident about the reaction it would get from the Article 29 Working Party and referred to the “favorable opinion” it was expecting. In the final version, the Commission simply stated that the WP published “its opinion”, thus indirectly admitting that the opinion was not favorable.
Some of the letters from US authorities which are part of the Annexes are the same as those which were attached to the first draft but there is a new letter in Annex VI which deals specifically with the manner in which the US conducts bulk collection of signals intelligence. In that letter dated June 21, 2016 the General Counsel in the Office of the Director of national Intelligence explains that “bulk” collection is different from “mass” or “indiscriminate” collection.
The initial draft of the Commission decision did not address the fact that with the General Data Protection Regulation (GDPR), a new set of privacy rules, more burdensome for data processors, will apply throughout Europe as from May 2018. The final draft now refers to the GDRP in one paragraph where the Commission states that it will “assess the level of protection provided by the Privacy Shield following the entry into application of the GDPR.”
In the press statement from the Commission that announced adoption of the Privacy Shield, the Commission said companies would be able to certify with the US Commerce Department starting August 1, 2016.
However, it seems very likely that the Privacy Shield will be challenged before the European Court of Justice. Additionally, according to the Schrems decision, national DPAs are not bound by the Commission Adequacy Decision and could therefore find that the Privacy Shield does not provide an adequate level of protection.
The Article 29 Working Party is meeting on July 25 to review the final version of the Privacy Shield and it will be interesting to see what its conclusions are.