You’ll recall that on February 29th 2016, following months of intense negotiations, the European Commission unveiled the current proposals for the proposed new EU-U.S. Privacy Shield to enable compliant transfer of personal data from the EU to the US following the dismantling of the US Safe Harbor Scheme. You’ll see our original blog article about it here. As discussed in our original Blog, this proposed new compliance mechanism seemed fraught with political wrangling from the beginning.
It is disappointing, if not unsurprising perhaps, that the EU
Article 29 Working Party (made up of data protection regulators from 28 Member
States) (“Art29 WP”) recently declared
that in their view the proposed self-certification US Privacy Shield is insufficient
to protect the privacy of EU citizens and fails to meet EU adequacy standards.
This means that anyone ‘holding out’ for the Privacy Shield to be finalised and
turning a blind eye to compliance involving transfers of personal data to the
US must certainly no longer continue to do so. It doesn’t look like there will
be a definite solution in relation to the Privacy Shield anytime soon.
Although it was noted by the Art 29 WP that the Privacy
Shield had made some improvements to the old US Safe Harbor Scheme, there were
still a number of great concerns raised.
For example, the lack of clear rules surrounding data retention, over-collection
and sharing of information for national security purposes and insufficient legal
remedies for EU citizens.
While the Art29 WP also raised some concerns about the
adequacy of Binding Corporate Rules and the EU Standard Contractual Clauses, it
has made clear that organisations can, for now, continue to use these mechanisms
to enable compliance when transferring personal data outside the EEA. The Art29
WP will look into this issue again when the European Commission has made its
decision on the adequacy of the Privacy Shield regime. Although this is
expected to happen by June 2016, recent reports have made this deadline look
rather shaky.
At the end of April 2016, the U.S. Undersecretary of
Commerce for International Trade made it clear that the U.S is not keen renegotiate
the Privacy Shield and that believed that although the Art29 WP’s report was
important, the U.S was not inclined to upset the “delicate balance that was achieved” through the Privacy Shield
negotiations.
The continued debate means that organisations that already transfer
personal data across the water to the U.S face sustained uncertainty.
Don't get caught out without a compliant US transfer
solution in the meantime. If you need our advice on how to transfer personal
data legally to the U.S, please contact us.
No comments:
Post a Comment