On Tuesday 12th July the European Commission announced the approval of the new US-EU Privacy Shield agreement regarding the transatlantic transfer of personal data, simply referred to as “Privacy Shield”, thus bringing months of judicial uncertainty for European companies to an end.
What is the likely impact of the Privacy Shield on European companies? In this post, we take a look at the implications and other request questions around this new agreement that aims to offer increased data protection security for European citizens and greater judicial clarity for businesses.
This post is also available in Spanish.
1.From when will the Privacy Shield apply?
From July 12, 2016 in Europe, the date when the Privacy Shield was approved by the European Commission the adequacy decision was notified to all EU Member States. The new agreement will be implemented in the United States from the day it is published in the Federal Register.
2. What's new in this agreement compared to Safe Harbor?
The Safe Harbor was based on seven basic principles expressed in the EU Commission Decision of 26 July 2000, under which American companies receiving European citizens’ personal data unequivocally and publicly committed themselves to applying the afore-mentioned principles. This committment was understood as a self-certification framework for companies whereby the certified entity was subject to the jurisdiction of US government agencies when complaints regarding non-compliance were submitted by the affected European citizens.
The Safe Habor’s 7 principles were related to the following aspects:
(i) The recommendations made by the Commission in November 2013.
(ii) The requirements laid down by the European Court of Justice on 6 October 2015 in response to the areas of uncertainty brought about by Safe Harbor.
(iii) The observations made by the Article 29 Working Party on 13 April 2016.
The Privacy Shield’s system and overall operation is to remain the same as Safe Harbor: American companies will still have to make a formal declaration of adherence to the Privacy Shield, thus forcing them to comply with all of its security measures, including being subject to supervision and monitoring by the United States Department of Commerce. Any additional commitments include the implementation of stringent obligations for companies that process personal data, as well as monitoring mechanisms for US companies, as detailed in the following section.
"The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings strong data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans' personal data." - Vĕra Jourová, European Union's Commissioner for Justice, Consumers and Gender Equality |
3. What does the Privacy Shield regulate?
The Privacy Shield is structured around 4 key principles:
4. How will the Privacy Shield work?
The United States Department of Commerce will continue as the body responsible for the application of guarantees and processes arising from the implementation of the new Privacy Shield agreement.
As indicated above in point 2, the system is similar to that of Safe Harbor but with greater levels of assurance and protection. U.S. companies that offer services in Europe and who are always involved in transfers of personal data shall be registered on the "Privacy Shield List", so that their activities can be monitored and reviewed by the United States Department of Commerce.
Spanish companies wishing to contract the services of American companies must ensure that the latter are in the afore-mentioned list to prove that they are committed to meet the same safety standards required of operators within the European Union. This means that U.S. companies who process personal data must meet the safety requirements required in the European Union.
Both the United States and the European Union will periodically review the effectiveness of the new agreement, with an obligation to make adjustments to its clauses if and when any breach is detected.
5. What benefits will the Privacy Shield bring to Spanish companies and the European Union in general?
European companies hiring American companies that appear on the Privacy Shield List published by the U.S. Department of Commerce, and whose services include transatlantic data transfer, can offer their customers and/or users greater guarantees of data protection resulting from the effective implementation of the principles mentioned in point 2.
At an operational level, Spanish companies wishing to contract the services of American companies are not currently required to obtain authorization from the Spanish Data Protection. Nor are they obligated to get the unequivocal consent from the data owner to make transatlantic data transfers.
It must be noted that the Privacy Shield - even if a valid political agreement between the United States and the European Union - is subject to the control of the European authorities and citizens, since non-compliance can provoke a lawsuit or be subject to revision at any time, as was the case with Safe Harbor.
This post is also available in Spanish.
 |
This is a guest post by Ana Martiza Vega Suárez. Ana Maritza is lawyer specialized in new technologies and intellectual property as well as being the founder of Avatic Abogados. @AnaVegaSuarez @AvaticAbogados |
|
This is a guest post by Ana Martiza Vega Suárez. Ana Maritza is lawyer specialized in new technologies and intellectual property as well as being the founder of Avatic Abogados. @AnaVegaSuarez @AvaticAbogados |
RELATED POSTS
