The new EU: US data Privacy Shield that came into effect on 1st August has been a much discussed agreement. The controversy reflects the concerns of EU citizens that data being processed in the US may represent a breach of their data privacy, either by the US government or by corporations, and specifically large technology companies.
After the collapse of Safe Harbour in the Court of Justice of the EU (CJEU) in October 2015 the US and the EU have been working to reach an agreement that would satisfy the concerns of the EU while also being capable of practical implementation.
The Privacy Shield is a much more detailed agreement than Safe Harbour's 7 loose principles and includes a number of significant changes:
- It contains a requirement for companies to delete personal data once it can no longer be used for the purpose for which it was collected - this was one of the key changes to the originally proposed agreement;
- Clearer safeguards and transparency obligations are in place. The US Department of Justice are providing written assurance that the US' authorities' access to EU data will be subject to limitations and safeguards;
- There will be an annual review of the processes put in place; and
- The mechanisms for dispute are improved with the creation of an Ombudsperson independent of federal agencies and a new redress system, through which companies must answer complaints within 45 days. If complaints are not settled thereafter, there is an arbitration mechanism to ensure a decision can be enforced.
There is still some question of the admissibility of the Privacy Shield in the CJEU and it will remain to be seen whether it is acceptable enough as an improvement on Safe Harbour for the EU judiciary. The Article 29 Working Party have indicated that they will wait a year before initiating any legal challenges to the agreement, which should allow a period of time to gauge its efficacy.
Some privacy campaigners remain unhappy with the promises and assurances and the fundamental issue remains the same - that the EU: US Privacy Shield is untested in court and may be rejected as was the case with Safe Harbor.
We take the same view as we did of Safe Harbor which is that this new agreement cannot be relied upon. We advise companies to keep data in its jurisdiction of origin and consult with an expert as to what, if anything can be transferred and what the appropriate mechanism of transfer is.
FRA is an expert in this area, having supported our clients with investigation and litigation expertise on numerous complex cross-border matters without relying on Safe Harbor for the inter-jurisdictional transfer of client data. We have advised clients globally in all major industry sectors while ensuring compliance with local data protection and data transfer laws and sensitivity to cultural nuances. FRA has over 10 years' experience advising organizations and their lawyers on appropriate eDiscovery strategies with, from the outset, appropriate management of data transfer risks. We have been deploying fully mobile, compliant, end-to-end eDiscovery solutions since 2006 throughout the EU, Switzerland, Canada, China, the former Soviet Union, and in many emerging market locations.
.webp)
