The judgment of the Court of Justice of 6 October 2015 (case No C-362/14) has caused a real storm. It annulled the European Commission’s decision in relation to the Safe Harbor program. As a result of consultations between the EU and the U.S.A., it was established that the program would be replaced by the Privacy Shield.
We have already informed you about these events on our blog (1) (2) and in Gazeta Prawna.
How it used to be and what it is like today?
Until 31 January 2016, entrepreneurs transferring personal data to the U.S.A. had been able to act under the Safe Harbor program and, after a transitory period, they had to change the legal basis for the transfer. However, not all stopped acting under the Safe Harbor program. On 4 August, this was taken up by the ICO (Information Commissioner’s Office – the British equivalent of Polish GIODO), which called for refraining from such illegal actions.
It has to be emphasized that on 12 July 2016, the European Commission adopted the Privacy Shield program as a better successor of the Safe Harbor program, and the new regulations became binding immediately. What’s important, as of 1 August, U.S. entrepreneurs can apply to the U.S. Department of Commerce for self-certifications, thanks to which they are able to receive data from the EEA based on the Privacy Shield program. Registered entrepreneurs can be found on the program’s website. If an entrepreneur is not certified, it is not possible to transfer data under the Privacy Shield program.
Privacy Shield – main assumptions
- Self-certification, i.e. a commitment of an entrepreneur to abide by the privacy rules determined by the Privacy Shield, submitted to the U.S. Department of Commerce.
- Supervision over certified entrepreneurs – the U.S. Department of Commerce has an obligation to supervise compliance with the privacy rules and apply sanctions if required (an entity can be deleted from the list of certified entrepreneurs).
- Appointment of an ombudsman, i.e. a person who is supposed to be independent of U.S. public authorities and who is supposed to guarantee the use of personal data by U.S. public authorities in a necessary and proportionate way.
- Publicly available mechanisms for dispute resolution The person who points out that their personal data have been violated may file a complaint directly with the entrepreneur, who has 45 days to respond, and if the complaint is rejected, they may use Alternative Dispute Resolution or turn to their national authority for data protection (e.g. GIODO in Poland) acting along with the Federal Trade Commission. Finally, it is also possible to persue mediation.
- Annual review of the Privacy Shield, jointly undertaken by the European Commission and the U.S. Department of Commerce. The review shall end with a report in which the issues requiring further joint negotiations and arrangements are indicated.
Other grounds for data transfer to the U.S.A.
The Privacy Shield is not currently the only legal option for transferring data from the EEA to the U.S.A. Standard contractual provisions, approved by the European Commission in the form of a decision or binding corporate rules (following GIODO’s approval) are alternatives. The above alternatives may constitute the grounds for personal data transfer not only to the U.S.A. but also to a third country.
Doubts and fears
The Article 29 Working Group on Personal Data Protection has issued a statement on the Privacy Shield. It is skeptical about the above-mentioned agreement, indicating the lack of the guarantee of ombudsman’s independence and mechanism of operation. According to the Working Party, the Privacy Shield does not indicate unambiguously the method along which personal data protection should function, preventing mass and illegal use of data. There are also no specific regulations regarding the automated data processing or a common right to the object. The Working Party emphasizes that only the annual overview of the functioning of the agreement will enable it to assess the effectiveness of the Privacy Shield.