• HOME
  • Insights
  • Privacy Shield adopted by European Commission but does it provide a reliable solution for businesses?
30 08 2017 Insights Cyber and Data Protection

Privacy Shield adopted by European Commission but does it provide a reliable solution for businesses?

I Stock000027220420 Double

14th July 2016

Following the declaration of invalidity of the Safe Harbour framework for EU-U.S. data transfers by the Court of Justice of the European Union (“CJEU”) in October 2015, Privacy Shield, the new framework for transatlantic data transfers, has now been adopted by the European Commission on Wednesday, 12 July 2016. With ongoing uncertainty for European organisations looking to do business with or in the U.S., Privacy Shield has been heralded as a key solution. However, uncertainty remains as to whether it will provide a reliable long term means of legal transfer given that further legal challenge may be likely.

The Commissioner’s press release emphasises that the new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

Privacy Shield is based on the following principles:

  • Strong obligations on companies handling data: under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access: The U.S. has given various assurances that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms.
  • Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Complaints are to be resolved by the company itself, or ADR solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. An arbitration mechanism exists as a last resort. EU citizens will also benefit from redress mechanisms in the area of national security which will be dealt with by an Ombudsperson independent from the U.S. intelligence services.
  • Annual joint review mechanism: Privacy Shield will be monitored by the European Commission, the U.S. Department of Commerce and data protection authorities. The Commission has stated that it will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.

The “Adequacy Decision" was notified to the Member States on 12 July 2016 and entered into force immediately. U.S. companies will be able to certify with the Commerce Department from 1 August 2016 once they can meet certain pre-conditions such as having a dispute resolution mechanism and privacy statement in place.

Businesses are in an ongoing state of uncertainty as to the validity of previous accepted mechanisms for transfers of data to the U.S., particularly given the intention of the Irish Data Protection Commissioner to determine the legal status of data transfers under standard contractual clauses through the referral mechanism to the CJEU. While the European Commission states that Privacy Shield reflects the requirements set out by the European Court of Justice in the Schrems v Facebook ruling, further legal challenge is expected. Strong concerns continue to be voiced by privacy rights groups about the level of protection of European citizens’ data from U.S. government surveillance despite the commitments given. The Article 29 Working Party has been critical of flaws in the earlier draft of Privacy Shield and is due to give its position on the final draft on 25 July 2016.

While it may be attractive to many companies to self-certify under Privacy Shield, a decision invalidating it in the same way as Safe Harbour will necessitate those companies again considering alternative transfer mechanisms. Given this uncertainty, many organisations will be holding back to see what developments take place in this area over the coming months and strategising long term viable solutions and alternatives to support EU-U.S. data transfers.

If you have any queries about the content of this article, please do not hesitate to contact:

Bryan McCarthy, Partner - bryan.mccarthy@rdj.ie

SHARE
Stay loop bg
Sign up

Stay in the loop

Sign up to our newsletter

Related Insights

Practice
Cyber and Data Protection 05 04 2024

Data breach claim struck out in Cork Circuit court as ‘minor’ incident

In our latest Insight, Jennifer Noctor, Partner in RDJ's Cyber and Data Protection team, discusses a data breach claim which was struck out in the Circuit Court affirming the principal that a certain minimum level of severity must be obtained in…

Read more About This Data breach claim struck out in Cork Circuit court as ‘minor’ incident
I Stock 1485820940
Cyber and Data Protection 24 01 2024

Balancing Risk with Innovation: EU's Approach to AI Procurement Contracts

As we edge closer to the AI Act being adopted into an agreed and final text, the European Commission have published a draft of what are known as 'standard contractual clauses' for the procurement of artificial intelligence systems. In this insight,…

Read more About This Balancing Risk with Innovation: EU's Approach to AI Procurement Contracts
AI woman
Cyber and Data Protection 17 01 2024

2024: The Year Of AI

On 29 December 2023, on the floor of the New York Stock Exchange, 2024 was declared to be the “year of AI” by top tech analyst Dan Ives. In this insight, Ricky Kelly and Sadhbh Walsh look at efforts made to regulate the use of AI around the world in…

Read more About This 2024: The Year Of AI
EU Flag and Binary code
Cyber and Data Protection 29 05 2023

Recent Developments To The EU'S Cyber Resilience Framework

Cybersecurity continues to be a significant risk for organisations across all sectors. This year, we have already seen a significant bolstering of the European Commission’s legal framework with initiatives that seek to advance a comprehensive…

Read more About This Recent Developments To The EU'S Cyber Resilience Framework
Website Insight Template 3
Cyber and Data Protection 17 05 2023

Non-Material Damage Compensation – the CJEU Enters the Fray

The CJEU delivers its first, and eagerly awaited, decision on the concept of ‘non-material damage’ arising from an infringement of the GDPR and in doing so departs from the Advocate General’s Opinion. In this insight Lorcan Moylan Burke and Ricky…

Read more About This Non-Material Damage Compensation – the CJEU Enters the Fray
Cyber Security
Cyber and Data Protection 11 05 2023

Cyber Incident Response and Crisis Management Workshop

On Wednesday, 10 May, we hosted a Cyber Incident Response and Crisis Management workshop with RDJ partners Ricky Kelly and Jennifer Noctor and guest speakers Mark Fawcett and Joseph Dashwood from Control Risks.

Read more About This Cyber Incident Response and Crisis Management Workshop