EU-US Privacy Shield adopted – Applicable as of 01.08.2016
The EU-US Privacy Shield was adopted by the European Commission on July 12, 2016. It is to enter into force on August 1, 2016 and replace the former Safe Harbor Agreement, which was declared invalid by the European Court of Justice (ECJ) (judgment of October 6, 2015 – Case C-362/14). The new Privacy Shield is intended to implement the requirements of the ECJ as far as possible and provide companies with a new option for data transfers to the USA. However, there continues to be much criticism of the effectiveness of the regulations and the lack of implementation of the judicial requirements.
The EU-US Privacy Shield is a step forward compared to the former Safe Harbor agreement, whose effectiveness could hardly be verified and which in many cases had not been implemented properly. The new Privacy Shield addresses some guidance from the ECJ and criticism from regulators. Among other things, it is to be welcomed that the Privacy Shield strongly emphasizes the following principles:
- Strengthened obligations to U.S. companies with respect to processing of personal data, particularly through periodic reviews of participating U.S. companies.
- Protection of individual rights by exercising data subjects’ rights through free dispute resolution mechanisms, a complaints procedure with national data protection authorities, and the establishment of an ombudsperson.
- Annual effectiveness review mechanism by EU Commission and U.S. Department of Commerce.
In this respect, the new agreement is undoubtedly a step forward compared to Safe Harbor. Since this is an appropriateness decision of the EU Commission, it can be made in accordance with the provisions of the German Commercial Code. Art. 25 par. 6 EU Data Protection Directive (GDPR) (in future Art. 45(1) GDPR) are currently used. However, there is a risk that the ECJ will review the EU-US Privacy Shield and conclude that it is invalid again.
One particular criticism of the agreement is that access by U.S. security authorities to the personal data of EU citizens is only slightly restricted. The restriction on access by security authorities is limited to letters and insurance policies from the USA. Therefore, one of the ECJ’s main criticisms remains inadequately addressed.
Our recommendation on the EU-US Privacy Shield
It is to be welcomed that a successor to Safe Harbor was negotiated, in which many points of criticism on the part of the supervisory authorities and the European Court of Justice are taken up. Nevertheless, we fear that the European Court of Justice, in a review of the Privacy Shield, will regard the requirements made in the Safe Harbor ruling as not having been complied with, in particular due to the continued barely restricted access by U.S. security authorities.
We see a great risk that the EU-US Privacy Shield will again be declared invalid by the European Court of Justice in a few years or that the data protection supervisory authorities will not recognize it. Our recommendation is therefore the same as when the Safe Harbor agreement was in force: as far as possible, companies should base their data transfers to the U.S. on EU standard contractual clauses or other mechanisms under the General Data Protection Regulation (for example, certifications or Code of Conducts).
We will be happy to advise you on the legally compliant design of data transfers to the USA. Please contact: Dr. Stefan Drewes, 0228-90248070.