The judgment of the Court of Justice of 6 October 2015 (case No C-362/14) has caused a real storm. It annulled the European Commission’s decision in relation to the Safe Harbor program. As a result of consultations between the EU and the U.S.A., it was established that the program would be replaced by the Privacy Shield.
We have already informed you about these events on our blog (1) (2) and in Gazeta Prawna.
How it used to be and what it is like today?
Until 31 January 2016, entrepreneurs transferring personal data to the U.S.A. had been able to act under the Safe Harbor program and, after a transitory period, they had to change the legal basis for the transfer. However, not all stopped acting under the Safe Harbor program. On 4 August, this was taken up by the ICO (Information Commissioner’s Office – the British equivalent of Polish GIODO), which called for refraining from such illegal actions.
It has to be emphasized that on 12 July 2016, the European Commission adopted the Privacy Shield program as a better successor of the Safe Harbor program, and the new regulations became binding immediately. What’s important, as of 1 August, U.S. entrepreneurs can apply to the U.S. Department of Commerce for self-certifications, thanks to which they are able to receive data from the EEA based on the Privacy Shield program. Registered entrepreneurs can be found on the program’s website. If an entrepreneur is not certified, it is not possible to transfer data under the Privacy Shield program.
Privacy Shield – main assumptions
Other grounds for data transfer to the U.S.A.
The Privacy Shield is not currently the only legal option for transferring data from the EEA to the U.S.A. Standard contractual provisions, approved by the European Commission in the form of a decision or binding corporate rules (following GIODO’s approval) are alternatives. The above alternatives may constitute the grounds for personal data transfer not only to the U.S.A. but also to a third country.
Doubts and fears
The Article 29 Working Group on Personal Data Protection has issued a statement on the Privacy Shield. It is skeptical about the above-mentioned agreement, indicating the lack of the guarantee of ombudsman’s independence and mechanism of operation. According to the Working Party, the Privacy Shield does not indicate unambiguously the method along which personal data protection should function, preventing mass and illegal use of data. There are also no specific regulations regarding the automated data processing or a common right to the object. The Working Party emphasizes that only the annual overview of the functioning of the agreement will enable it to assess the effectiveness of the Privacy Shield.