U.S. companies needing to transfer personal data of European customers across the Atlantic can now sign up to a new framework to govern such data transfers, with the so-called EU-US Privacy Shield up and running from today.
The European Commission has also now published the legal texts associated with the Privacy Shield agreement, along with a citizens guide — which aims to provide information to EU consumers detailing how they can make complaints about the handling of their data by US companies should they feel the need to.
The new data-transfer deal was officially adopted by the EC last month, bringing to a close some nine months of limbo in the wake of the region’s Court of Justice decision to topple the predecessor framework last year (while failing entirely to end the uncertainty that the demise of Safe Harbor has wrought — given that critics continue to question Privacy Shield’s robustness to future legal challenge).
The EC has claimed the new deal is fundamentally different versus the prior self-certification Safe Harbor framework, flagging up the new role it creates of a dedicated US ombudsman to handle EU citizens’ complaints, as well as pointing to various assurances provided by the US government on the limits of bulk collection of data for national security purposes.
Companies signing up to the Shield also face new obligations, such as deleting personal data when it is no longer necessary. And there’s an annual joint review process built in to the framework so that it will be continually reviewed and any problems tackled.
However, the influential Working Party 29 body — which is made up of the heads of the various Member States’ data protection agencies — remains critical of the Privacy Shield, despite what it sees as some improvements over Safe Harbor.
In a statement put out late last month the WP29 said it remains concerned about various commercial aspects of the framework, flagging up the lack of specific rules on automated decisions and of a general right to object as problems. It also criticized a lack of clarity about how Privacy Shield Principles apply to processors.
The body also expressed ongoing concern about access by public authorities to data transferred to the U.S. under the Privacy Shield.
“[T]he WP29 would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism,” it wrote. “Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data. Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.”
The group looked ahead to the first joint annual review of the framework, couching it as a “key moment” for assessing the robustness and efficiency of the mechanism.
In the meanwhile, it added that individual DPAs will be committing themselves to assisting EU citizens in their countries with exercising their rights under the Shield, especially vis-a-vis complaints.
In the EC Citizens Guide to the Privacy Shield, the EU notes that citizens can check the Privacy Shield list on the US Department of Commerce website to determine whether a company has signed up to the framework. At the time of writing there was just under two hours remaining before US companies can self-certify to adhere to Privacy Shield so no companies are listed as yet.
Following the demise of Safe Harbor, companies have been using a range of alternative mechanisms to govern personal data transfers, such as contractual clauses and binding corporate rules, so it remains to be seen whether there will be a rush to adopt the Privacy Shield or not. Some of these other data transfer mechanisms are also currently subject to legal challenge.