logo text

Tuesday 3 May 2016

You can't rely on the US Privacy Shield yet - EU report says 'must do better'


You’ll recall that on February 29th 2016, following months of intense negotiations, the European Commission unveiled the current proposals for the proposed new EU-U.S. Privacy Shield to enable compliant transfer of personal data from the EU to the US following the dismantling of the US Safe Harbor Scheme.  You’ll see our original blog article about it here.  As discussed in our original Blog, this proposed new compliance mechanism seemed fraught with political wrangling from the beginning.

It is disappointing, if not unsurprising perhaps, that the EU Article 29 Working Party (made up of data protection regulators from 28 Member States) (“Art29 WP”) recently declared that in their view the proposed self-certification US Privacy Shield is insufficient to protect the privacy of EU citizens and fails to meet EU adequacy standards. This means that anyone ‘holding out’ for the Privacy Shield to be finalised and turning a blind eye to compliance involving transfers of personal data to the US must certainly no longer continue to do so. It doesn’t look like there will be a definite solution in relation to the Privacy Shield anytime soon.

Although it was noted by the Art 29 WP that the Privacy Shield had made some improvements to the old US Safe Harbor Scheme, there were still a number of great concerns raised.  For example, the lack of clear rules surrounding data retention, over-collection and sharing of information for national security purposes and insufficient legal remedies for EU citizens. 

While the Art29 WP also raised some concerns about the adequacy of Binding Corporate Rules and the EU Standard Contractual Clauses, it has made clear that organisations can, for now, continue to use these mechanisms to enable compliance when transferring personal data outside the EEA. The Art29 WP will look into this issue again when the European Commission has made its decision on the adequacy of the Privacy Shield regime. Although this is expected to happen by June 2016, recent reports have made this deadline look rather shaky. 

At the end of April 2016, the U.S. Undersecretary of Commerce for International Trade made it clear that the U.S is not keen renegotiate the Privacy Shield and that believed that although the Art29 WP’s report was important, the U.S was not inclined to upset the “delicate balance that was achieved” through the Privacy Shield negotiations.

The continued debate means that organisations that already transfer personal data across the water to the U.S face sustained uncertainty. 

Don't get caught out without a compliant US transfer solution in the meantime. If you need our advice on how to transfer personal data legally to the U.S, please contact us.

No comments:

Post a Comment