EU Announces Solution to Crisis over Data Export to US with Privacy Shield Decision
The European Commission has adopted a decision that will see personal data able to be exported to the US safely in accordance with EU data protection laws.
The Facts
Personal data can only be exported out of the European Economic Area if it is to a destination that provides adequate protection or there is some other mechanism such as a data subject’s informed consent. There are some means to enable data export, such as on model contractual clauses approved by the European Commission. To enable easy flows of data between entities in the EU and the US, the US had adopted the Safe Harbor scheme in 2000. However, that basis was struck down in a European Court of Justice judgment last year (the Schrems case). This was due to concerns over the adequacy of protection in the US, and in particular disclosure for wide data surveillance means.
Urgent discussions have been held to seek a replacement for Safe Harbor to enable the free flow of data. The Commission’s adoption of the Privacy Shield seeks to plug that gap. It will enable transfer of data from a data controller or data processor in the EU, to self-certified US-based entities. The US-based entities that participate will be subject to various data protection principles. This will include ensuring that any onward recipient of the data is also subject to the same standards of protection. Participants will have to display their privacy policy on their website, and the US Department of Commerce will monitor and verify that these are in line with the Privacy Shield principles.
There will be redress mechanisms for EU citizens such as timely direct resolution by the participant entity, free of charge alternative dispute resolution, a data protection authority taking the matter forward and a privacy shield arbitration panel. In addition, there will be an ombudsman to address national security related complaints. The ombudsman will be independent from the US intelligence agencies.
Comment
The European Commission has heralded the Privacy Shield launch, and rightly so. It has been welcomed by many businesses. However, some people have raised criticisms and have called it a sham. It is possible that it may yet be open to challenge Another fly in the ointment, and what this means for UK businesses, is the UK’s prospective departure from the EU. However, if the UK is to remain part of the EEA, Privacy Shield is likely to remain very relevant.