On July 12, 2016, following a long negotiation period with the US authorities, the European Commission presented the EU-US Privacy Shield (Decision (EU) 2016/1250 of 12 July 2016, pursuant to Directive 95/46/EC) in order to ensure the protection of personal data transferred from Europe to the US. In this context, the European Commission published a guide, including a Q&A, regarding how the Privacy Shield can be activated and which are indeed a data subject’ rights. This guide provides important clarifications on how the Privacy Shield is used, as well as guidelines on how each data subject may use its rights, as foreseen by the Privacy Shield. More specifically:
1) What is the Privacy Shield and how does it work?
The European Union and the United States have strong commercial ties. In this context, transatlantic transfers of personal data such as a person’s name, phone number, birth date, home and email address, gender as well as any other kind of information that makes it possible to identify a specific person, are highly important. Besides, in today’s global digital economy, many commercial transactions may imply transfers of a person’s personal data. It is therefore essential to ensure safety of these data while they are being transferred from one continent to another. The EU-US Privacy Shield was created for this exact purpose; it allows personal data to be transferred from the EU to a company in the United States, provided that the company there processes personal data according to a set of strong data protection rules, according to the Privacy Shield. The protection provided to a person’s data applies regardless of whether this person is an EU citizen or not – the Privacy Shield always applies when data are transferred from an EU country to the US.
In order for the U.S. companies to use the Privacy Shield, they must first register to this framework with the U.S. Department of Commerce. Certification is granted given that the company applying has a privacy policy in line with the “Privacy Principles” of the Privacy Shield.
2) Who is responsible for supervising compliance with the Privacy Shield?
The U.S. Department is responsible for managing and administering the Privacy Shield and ensuring that companies are in compliance with the Privacy Shield and respectively live up to their commitments. On the U.S. Department’s web space, one may consult the Privacy Shield List, which includes details of all the member companies as well as the kinds of personal data they collect and process. It is worth noting that companies no longer on the Privacy Shield register are not allowed to receive personal data in these terms.
3) What are the obligations of a Privacy Shield Company?
A Privacy Shield company is obliged to protect a person’s personal data and inform her about: a) the types of personal data it processes; b) the reasons why it processes a person’s personal data; c) whether it intends to transfer a person’s personal data on to another company and the reasons why; d) the person’s right to ask the company to access her personal data; e) how to contact the company if a person has a complaint about the use of her personal data; f) the independent dispute resolution body, either in the EU or the U.S., where a person can bring her case, if she has a complaint.
Moreover, a Privacy Shield company may use a person’s personal data only for the purpose for which it has originally collected this data. Use of data for a different purpose is only allowed if the new purpose is different but related to the original one and if the data subject does not object to such use or in case of sensitive personal data processing, only if the data subject gives her consent. Finally, a Privacy Shield company is allowed to keep a person’s personal data for as long as necessary for processing purposes. It may keep personal data for longer periods only if it needs them for certain specified purposes such as for statistical analysis, literature and art, journalism etc.
4) How can a person file a complaint and obtain a remedy?
In case a Privacy Shield company does not follow the rules of the Privacy Shield and violates its obligation to protect a person’s personal data, then the data subject has the right to freely file a complaint and seek damages.In summary, a person may file a complaint, namely with:
- 1) the U.S. Privacy Shield company itself;
- 2) an independent recourse mechanism, such as an Alternative Dispute Resolution (ADR) or Data Protection Authority;
- the U.S. Department of Commerce, only through a Data Protection Authority;
- the U.S. Federal Trade Commission
- the Privacy Shield Panel, only when certain other options have already been addressed.
Our law firm’s comment:
The EU-US Privacy Shield is undoubtedly an important innovation towards the protection of personal data. Even though signing up is voluntary, the need to self-register to the Department of Commerce implies a public commitment for the company to comply with the Framework’s requirements. To take up these kinds of commitments, companies often can foresee reputation benefits which are highly dependent on citizen knowledge and approval. As a result, it remains to be seen how the Privacy Shield framework will be implemented by the U.S. companies, however nicely they fill-in the pre-existing legal gaps regarding transatlantic transfers of personal data.
