Personal data - EU-US Privacy Shield draws nearer

The replacement for the Safe Harbor scheme applying to the transfer of personal data between the EU and the US moves a decisive step closer. The EU and the US have both published the documents that are to form the basis for the new EU-US Privacy Shield. The framework is expected to be finally adopted in June 2016.

On 29 February both the European Commission and the US Department of Commerce published the documents that are to be their basis for the new EU-US Privacy Shield framework, which will provide a legal basis for transferring personal data between the EU and the US.

The documents include a draft decision by the European Commission that US companies covered by the EU-US Privacy Shield framework are deemed to be located in a secure third country.

The documents also include the privacy shield principles that must be complied with by the US companies joining the framework.

The framework provides stronger obligations on the relevant companies in the US to protect the personal data of Europeans when transferring data to the US. To this should be added stronger enforcement of such obligations by the US Department of Commerce and the Federal Trade Commission (FTC) and increased cooperation with European data protection authorities.

More new requirements to be fulfilled by US companies
In order to be certified under the framework US companies are to fulfil a number of requirements and be able to prove that they can fulfil such requirements. The certification process is to be carried out once annually. The US Department of Commerce is to supervise the certified companies and will keep an updated register of the companies that have been certified.

From a European point of view the framework contains several interesting measures.  One of the measures is that a European citizen suspecting that his/her data are being misused can file a complaint directly with the US company that has processed the information which is now under an obligation to reply within 45 days. A European citizen can also file a complaint with his/her national supervision authority which will pass on the complaint to the US Department of Commerce that is then to take a position on the complaint within 90 days. It will also be possible to file a complaint with an independent appeals body appointed by the US company.

Companies in the US that process data about Europeans for HR purposes under the Privacy Shield framework are under an obligation to comply with the guidelines of the relevant European data protection authorities. It means that a US company processing data about Danish employees is to comply with the practice of the Danish Data Protection Agency.

Probable agreement in June
The next step for the EU-US Privacy Shield framework is to consult the Article 29 Working Party about the European Commission's draft decision.

The European data protection authorities in the Article 29 Working Party expect to be able to present their assessment of the draft decision and the other material after the meeting on 12-13 April 2016. Binding statements from representatives of the Member States will then be obtained and the decision can then be adopted by the European commissioners. It is expected that the procedure will be finalised in June 2016.

Latest news on Data Protection Law

Data Protection Law