• +49 (30) 804 03 588 | +49 (0)157 322 38619 | +33 (0) 6 79183704
  • sybille.boese-tarsia@sbt-rechtsanwaeltin.eu
  • Nickisch-Rosenegkstrasse 9, 14129 Berlin
  • +49 (30) 804 03 588 | +49 (0)157 322 38619 | +33 (0) 6 79183704
  • sybille.boese-tarsia@sbt-rechtsanwaeltin.eu
  • Nickisch-Rosenegkstrasse 9, 14129 Berlin
POSTED IN: Uncategorized

EU-U.S. Privacy Shield replaces Safe Harbour

EU-U.S. Privacy Shield replacing the Safe Harbour framework for transatlantic exchanges of personal data for commercial purposes adopted by the College of EU Commissioners (EU Commission Decision C(2016) 4176 final).

Key words:

  • Obligations on US companies processing EU personal data
  • Onward transfers to sub-processors
  • Limitations & safeguards with regard to US government access
  • Ombudsman, overseeing complaints for EU citizens
  • EU citizens’ rights to obtain redress in the US

On July 12, 2016, the EU Commission has definitively adopted the EU-U.S. Privacy Shield, replacing the Safe Harbour, annulled by the European Court of Justice, Luxemburg, in October 2015. The decision has entered into force the same day. US companies will be able to certify with the US Commerce Department as of August 1st, 2016.

The Privacy Shield framework has reinstalled legal certainty (for EU businesses) for the data flow from the EU countries to the US, which had been suspended since October 2015, leaving EU business with daily exchanges of data in disarray and despair as to what procedure to apply without risking to be fined.

The EU Commission has issued an “Adequacy decision”, which has the effect that personal data can flow from the 28 EU member states (plus the three EEA member countries) to that third country (i.e. the US) without further restrictions.

The Privacy Shield has however established new, harder principles, obligations precedent, which need to be respected so that the Privacy Shield actually applies.
Those are imposed on the US companies to honour for the Privacy Shield Self Certificate, and are the following:

  1. Notice Principle, i.e. providing information to data subjects on key elements of the processing of personal data
  2. Data Integrity and Purpose Limitation Principle, i.e. only the data relevant for the purpose of the processing may be processed
  3. Choice Principle, conferring the right to data subjects to object (“opt-out”) in case of a changed purpose to the initial processing
  4. Data Integrity and Purpose Limitation Principle, i.e. personal data retention is limited to the time which is justified by its purpose
  5. Security Principle, i.e. organisations creating, maintaining, using and/or disseminating personal data must take “appropriate” security measures and keep them in place. If sub-processing organisations are used, those must abide by the same security obligations.
  6. Access Principle, i.e. subjects have the right to be given access to their personal data with no justification (and little fee to be paid) as well as modify, delete etc.
  7. Recourse, Enforcement and Liability Principle, i.e. organisations must provide solid mechanisms to ensure compliance with the Privacy Shield Principles and make available the right to recur for EU data subjects (whose personal data have been processed in a non-compliant way), including providing for effective remedies (a.o. court defence, damages).
  8. Accountability for Onward Transfer Principle, i.e. limiting the transfer of processing to third parties (from the US to another third country, outside the EU, outside the US), and requiring solid company group principles applied throughout sub-processing companies, when used.
  9. Special rules apply and have to provide for additional safeguards for HR data. HR departments are encouraged to allow very restricted access to the personal data (from inside the organisation, i.e. outside HR), anonymising certain data, using coding, pseudonyms.

To make sure the rights of EU citizens are respected and heard, the Privacy Shield provides for safeguards and transparency obligations on US government access. Everyone in the EU will benefit from redress mechanisms in this area. The US Secretary of State has established the redress possibility for EU citizens through an Ombudsperson mechanism within the Department of State.

An annual joint (i.e. EU/US) review mechanism will monitor the functioning of the Privacy shield, including the commitments and assurance regarding access to data for law enforcement and security purposes.

US companies will have to review their compliance programs (and in the first place: dispose over a compliance program!), as it must provide for an annual review of its program so to adapt to company reality, legislation, US case law.
The Privacy Shield certification is to be renewed on an annual basis.