EU Commission issues Privacy Shield details and draft adequacy decision

29/02/2016

The "adequacy decision" for EU-US personal data transfers, drafted by the EU Commission, as well as the texts that will constitute the EU-US Privacy Shield have been published today. The EU Commission concludes that the United States ensures an  adequate level of protection for personal  data  transferred  under  the  EU-US Privacy  Shield. The text will now be evaluated by the EU DPAs and the European Data Protection Supervisor before it can be formally adopted by the College (of EU Commissioners). EU DPAs are expected to give their view by the end of March.

Under the new system, EU citizens would have several redress possibilities. Any complaints received by companies would have to be resolved within 45 days.  In addition to an Alternative Dispute Resolution mechanism, EU citizens could get assistance from their national Data Protection Authorities, who will work with the US Federal Trade Commission.

Enforcement of the programme would be a task for the Federal Trade Commission, but in some cases the EU DPAs’ arms would stretch over the Atlantic. US organisations would have to cooperate if a complaint has been made about Human Resources data collected in the context of an employment relationship. Companies could also voluntarily give oversight to the DPAs.

The programme would be administered by the US Department of Commerce, and participants would have to re-certify annually. Organisations  that  have  persistently  failed  to  comply  with  the  Privacy  Principles  would be  removed  from  the  Privacy  Shield  List  and  would have to  return  or  delete  the  personal  data received under the EU-US Privacy Shield.

There would be an annual review of the functioning of the Privacy Shield, and the Commission would issue a public report to the European Parliament and the Council. The EU DP Regulation  expressly  requires  the  Commission  to periodically  review,  at least  every  four  years,  all  of  its  adequacy  decisions.

The deal would also make it possible to file complaints against US national intelligence activities. An Ombudsperson would be created within the Department of State, who will be independent from the national security services.

Stewart Dresner, PL&B’s Chief Executive, will speak tomorrow in the opening session of the Data Protection Forum in London about the EU-US Privacy Shield.


The EU-US Privacy Shield will also be covered in a session at PL&B’s Roundtable on 9 March with the European Data Protection Supervisor (EDPS). This event will take place at the EDPS’s office in Brussels. The Roundtable titled Influencing the future of privacy in the EU: The EDPS’s role recognises that in this context the EDPS is being consulted on the Privacy Shield together with the Art. 29 Data Protection Working Party. The programme and registration information are at www.privacylaws.com/pon Register now to take one of the few remaining places.
See
http://europa.eu/rapid/press-release_IP-16-433_en.htm?locale=en

Comments:

If you would like to comment on this article, please login or register.

Archive

Tag cloud