EU Commission issues Privacy Shield details and draft adequacy decision
The "adequacy decision" for EU-US personal data transfers, drafted by the EU Commission, as well as the texts that will constitute the EU-US Privacy Shield have been published today. The EU Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-US Privacy Shield. The text will now be evaluated by the EU DPAs and the European Data Protection Supervisor before it can be formally adopted by the College (of EU Commissioners). EU DPAs are expected to give their view by the end of March.
Under the new system, EU citizens would have several redress possibilities. Any complaints received by companies would have to be resolved within 45 days. In addition to an Alternative Dispute Resolution mechanism, EU citizens could get assistance from their national Data Protection Authorities, who will work with the US Federal Trade Commission.
Enforcement of the programme would be a task for the Federal Trade Commission, but in some cases the EU DPAs’ arms would stretch over the Atlantic. US organisations would have to cooperate if a complaint has been made about Human Resources data collected in the context of an employment relationship. Companies could also voluntarily give oversight to the DPAs.
The programme would be administered by the US Department of Commerce, and participants would have to re-certify annually. Organisations that have persistently failed to comply with the Privacy Principles would be removed from the Privacy Shield List and would have to return or delete the personal data received under the EU-US Privacy Shield.
There would be an annual review of the functioning of the Privacy Shield, and the Commission would issue a public report to the European Parliament and the Council. The EU DP Regulation expressly requires the Commission to periodically review, at least every four years, all of its adequacy decisions.
The deal would also make it possible to file complaints against US national intelligence activities. An Ombudsperson would be created within the Department of State, who will be independent from the national security services.
Stewart Dresner, PL&B’s Chief Executive, will speak tomorrow in the opening session of the Data Protection Forum in London about the EU-US Privacy Shield.
The EU-US Privacy Shield will also be covered in a session at PL&B’s Roundtable on 9 March with the European Data Protection Supervisor (EDPS). This event will take place at the EDPS’s office in Brussels. The Roundtable titled Influencing the future of privacy in the EU: The EDPS’s role recognises that in this context the EDPS is being consulted on the Privacy Shield together with the Art. 29 Data Protection Working Party.