The New US-EU Privacy Deal

On 6 October 2015 the European Court of Justice (ECJ) ruled the US Safe Harbor Decision invalid on the basis of the inadequate protection given to Europeans’ data once transferred to the US.

On 2 February 2016, a political agreement was reached on a new framework for transatlantic data flows, the EU-US Privacy Shield, to replace the previous arrangement.

On 29th February 2016, the European Commission has released the guidelines of the Privacy Shield, a draft proposed by the US.

Which obligations for US companies?

The new arrangement will be more transparent and contain effective supervision mechanisms to ensure that companies follow the rules they have legally committed to uphold.

US companies wishing to import personal data from Europe under the Privacy Shield mechanism will need to comply with certain obligations on how personal data is processed and individual rights are guaranteed.

Companies which have claimed adherence to the Privacy Shield scheme will be faced with strong sanctions if they do not comply with their undertakings.

Clear limits with respect to US government access to personal data:

For the 1st time the US government has provided the EU with written representations and assurances that access by public authorities will be subject to limitations. The newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals.

Effective protection of EU individuals’ privacy rights:

The Privacy Shield scheme provides for various dispute resolution mechanisms. Any EU individual will be able to directly complain to the US Company which will have 45 days to answer.  In addition, any company handling human resources data from Europe has to commit to comply with the decisions of the relevant European Data Protection Authority (DPA) while other companies may voluntarily make such a commitment.

EU individuals may also take their complaint to their “home” DPA that will have a specific procedure to refer complaints to the US authorities.

In addition, a new dispute resolution mechanism will be set up: the Privacy Shield Panel that will be entitled to take binding and enforceable decisions against US companies.

The Privacy Shield is under review now by the EU’s Article 29 Working Party, which will render a non-binding opinion within the next few months. Taking that opinion into account, the full European Commission will then formally vote on the adequacy of the Privacy Shield program, at which point it will take effect. Therefore, U.S. organizations still have a few months before they can formally sign up for the new Privacy Shield and, regardless of the Working Party’s response, it would be wise to carefully consider all alternatives available.

The Privacy Shield is not yet a done deal!

Aurélie KLEIN

Print FriendlyImprimer cet article

Mots-clefs : , , , , , , ,

Laisser une réponse