Privacy Shield. A New and Improved Safe Harbor. briefing

Similar documents
The Unlimited Company

The Risk Manager. Additional Resources. The Latest News on Managing Your Risk. May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS

10 Things You Need to Know About the Gambling Control Bill 2013

Exploiting Intellectual Property Rights: Key Attractions of Locating Operations in Ireland

Privacy Source EU-U.S. Privacy Shield Passes First Annual Review

Privacy Shield Notice

Inteum EU or Switzerland Safe Harbor Policy

The Designated Activity Company (the DAC )

Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.

Company Secretarial and Compliance Services Expertise

Issues for Directors. companies act 2014

Employee Share Incentive Schemes October 2017

DDB. EU/Swiss-U.S. Privacy Shield: Consumer Privacy Policy

Geomni, Inc. EU-U.S. Privacy Shield: Consumer Privacy Policy

Ximedica, LLC Privacy Shield Policy

TIFFANY AND COMPANY: EU-U.S. PRIVACY SHIELD PRIVACY POLICY - CONSUMER DATA

The Marketing Arm Inc. EU-U.S. Privacy Shield: Consumer Privacy Policy

An Overview. the obligation on every "large company" 1 to establish an audit committee; provides for new types of company;

Fitbit, Inc.: EU-U.S. Privacy Shield Privacy Policy - Consumer Data

Working Party on the Protection of Individuals with regard to the Processing of Personal Data

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

DRAFT MOTION FOR A RESOLUTION

Practising Law Institute: Privacy Shield Boot Camp

EMPLOYEE NOTICE OF DATA PRIVACY POLICIES AND PROCEDURES

COMMISSION OF THE EUROPEAN COMMUNITIES

ROSETTA STONE LTD. PROCESSING ADDENDUM

Customer means any EEA entity that registers for or purchases products or services from SDL or SDL EEA Entities.

BREXIT AND DATA PROTECTION Q & A

Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)

The Allied Group Privacy Shield Policy

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING PAPER

Data protection and transfer

The European Court of Justice Invalidated EU/US Safe Harbor: What Does the Future Hold?

DATA PROCESSING ADDENDUM

Standard contractual clauses for the transfer of personal data to third countries - Frequently asked questions

DATA PROCESSING ADDENDUM

Data Processing Addendum

DATA PROCESSING ADDENDUM

Amgen Binding Corporate Rules (BCRs) Public Document

Effective flow of personal data post-brexit

Data Processing Appendix

DATA PROCESSING ADDENDUM

EU U.S. Privacy Shield First annual Joint Review

GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers

Data protection clauses in commercial contracts. Amy Chandler & Paul Jonson

Moxtra, Inc. DATA PROCESSING ADDENDUM

EMPLOYEE NOTICE OF DATA PRIVACY POLICIES AND PROCEDURES

Data Privacy Group Client Alert: The UK Votes for Brexit Data Protection Implications

Note: Changes from Commission Decision 2002/16/EC are marked in redline

DATA PROCESSING AGREEMENT

DATA PROCESSING ADDENDUM

Vanguard Group (Ireland) Limited Vanguard Funds plc Vanguard Investment Series plc Privacy policy. May 2018

Pension Trustees. Final Countdown to the GDPR

A New Regulatory Framework for Credit Servicing Firms in Ireland

Account Opening Application CHILD BOND SAVINGS

URBAN AIRSHIP DATA PROCESSING ADDENDUM with EU Standard Contractual Clauses. (Revised September 2017)

TPAS AND THE FREEDOM OF INFORMATION ACT 2000

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING DOCUMENT

The Old Post Office, 4 Bryanston, Blandford, DT11 0PR t: e:

Data Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

Government Legislation Programme: Overview

Interoperability effort between APEC CBPR and EU BCR. Malcolm Crompton Managing Director, IIS Google Japan Tokyo, 17 April 2014

Safe Harbor and Data Privacy Statement

AWS GDPR DATA PROCESSING ADDENDUM

Financial Planning Limited. Terms Of Business

DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)

Brexit Essentials: an update on data protection and privacy

Increased Corporate Governance Requirements for Insurers

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

THE UNIVERSITY, CAMBRIDGE IN AMERICA AND THE COLLEGES DATA SHARING PROTOCOL

Proposed amendments to Telecommunications Consumer Protections Code (DR C628:2015)

ON24 DATA PROCESSING ADDENDUM

ESMA s Brexit Reminder

Data Protection Cayman Islands

THE IRON MOUNTAIN GDPR JARGON BUSTER

DATA PROCESSING ADENDUM

UNFAIR CONTRACT TERMS REGULATORY GUIDE INSTRUMENT 2007

ARTICLE 29 Data Protection Working Party

Guide to compliance with the Australian Privacy Principles. APP 1 Open and transparent management of personal information

STONE ROWE BREWER LLP TERMS OF BUSINESS

ADMIRAL MARKETS UK LTD PRIVACY POLICY

Data Processing Agreement and Privacy Policy (EU) Classification: PUBLIC March 2018

CONTENTS. KLRCA ARBITRATION RULES (As revised in 2017) UNCITRAL ARBITRATION RULES (As revised in 2013) SCHEDULES. Part I. Part II.

CONTENTS TOB.MP.INT.RES.6.0 2

August Proposal for EMIR Reform targeted changes with important consequences for AIFs, AIFMs and UCITS Management Companies

An Agreement dated XX/XX/XXXX governing the conduct of Insurance Business between:

Visa Debit Conditions of Use

Fees and Expiration. Replacement Card at Expiration : There is no additional cost to obtain a replacement Card due to expiration.

British Bankers Association submission to the consultation on the legal framework for the fundamental right to protection of personal data

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

CUSTOMER DATA PROCESSING ADDENDUM

IRIS Group of Companies Customer Data Processing Terms

TFI Markets. Currency Specialists. Agreement between TFI Markets Ltd and Holders of Payment Accounts for the provision of Payment Services

Terms of Business- Direct Customers

European Communities Takeover Bids Directive 2004 Regulations 2006

Pension Trustees Final Countdown To GDPR

Group Flexible Retirement Plan

Customer GDPR Data Processing Agreement

Central Bank consults on CFDs for Retail Investors

Transcription:

Privacy Shield A New briefing The European Commission adopted its much anticipated decision on the EU- US Privacy Shield ( Privacy Shield ) on 12 July 2016. The Privacy Shield was developed jointly by the European Commission and the US Department of Commerce to replace the Safe framework, which was declared invalid by the Court of Justice of the European Union in the Schrems case. TOP 50 INNOVATIVE LAWYERS 2016 The adoption of this adequacy decision by the Commission means that any transfers of personal data from the EU to companies in the United States that are certified under the Privacy Shield will be deemed to be made in accordance with EU data protection law. As noted in our previous article here, US companies have been able since 1 August 2016 to sign up to the Privacy Shield and receive personal data originating in the EU on the basis of their Privacy Shield certification. It has been reported that over 500 organisations have been certified under the Privacy Shield to date, including such prominent stakeholders as Microsoft, Google and Salesforce, and that some 1,000 more are in the process of applying. Criticism The Privacy Shield has been the subject of much comment (both positive and critical) since its publication. Most of the criticism levied at the Privacy Shield focuses on concerns over the potential access by US public authorities to personal data transferred from the EU to the US This potential access was one of the main criticisms of Safe arising from the Schrems case, and appears to be a continued source of concern for privacy campaigners. Other criticisms of the Privacy Shield include that certain principles of European data protection law, for example in relation to data retention and purpose limitation, are not adequately reflected in the framework, and that the Privacy Shield does not give users as much control over the use of their personal data as under EU data protection law. What is new and improved in the Privacy Shield? Such criticism notwithstanding, it seems clear that the Privacy Shield improves on Safe in a number of key areas, considered below: More detailed transparency/notice requirements: The privacy principles that US companies receiving personal data originating from the EU will have to comply with (the Principles ) include more detailed and robust notice requirements than those required

under Safe. For example, organisations signing up to the Privacy Shield must provide a notice, in clear and conspicuous language to individuals informing them of: the types of personal data the organisation is collecting; whether (if relevant) its subsidiaries adhere to the Principles; the purposes for which the organisation will disclose personal data to third parties; the right of individuals to access their personal data; the independent resolution body designated to address complaints and provide recourse; the possibility in certain circumstances to invoke binding arbitration; and the requirement to disclose personal information in response to lawful requests by public authorities. In addition, the Principles are set out in a clear and easily understandable way for organisations in a single annex (Annex II) of the Commission s Decision. In the Safe decision these were constituted, in a rather piece-meal fashion, of Privacy Principles in one annex, and Frequently Asked Questions in another annex. More choice over uses of personal data: Privacy Shield requires certified organisations to offer individuals clear, conspicuous and readily available mechanisms to allow them to opt out of the disclosure of their personal data to third parties (save where such disclosure is to an agent pursuant to a contract) or of the use of their data for a purpose that is materially different from the purpose(s) for which it was originally collected (or subsequently authorised) by the individuals. The requirement for an opt out for a materially different use of data under the Privacy Shield is arguably more protective than the obligation under Safe, which required an opt-out for a purpose that was incompatible with the purpose(s) for which it was originally collected/subsequently authorised etc. Strengthened requirements and accountability for onward transfers: The Privacy Shield contains more detailed requirements in relation to the onward transfer of personal data from Privacy Shield organisations in the US to other third party organisations. Any onward transfers to data controllers must be made on foot of a contract with the third party controller providing that any data so transferred may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the [Privacy Shield] organisation if it can no longer meet this obligation. By contrast, Safe only contained a broad requirement to apply the Notice and Choice Principles in respect of the disclosure of information to third parties. In addition, the Privacy Shield expands on the requirements set out in Safe in respect of the transfer of data to agents. These additional requirements include that the Privacy Shield organisation: transfers data only for limited and specified purposes; takes reasonable and appropriate steps to ensure that any processing is carried out in accordance with the Principles; takes steps to stop and remediate unauthorised processing; and provides a summary or copy of the relevant privacy provisions of the contract with the agent to the Department of Commerce if requested. A further improvement on Safe from a privacy perspective is that the Principles expressly state that Privacy Shield organisations will remain liable for any processing of personal data by their agents in a manner inconsistent with the Principles (unless the organisation proves that it is not responsible for the event giving rise to the damage). Safe, by contrast, contained a general presumption that the organisation, once it had complied 2 mccann fitzgerald ¼ october 2016

with the principles in respect of onward transfer to an agent, would not be held responsible for processing outside of the permitted purposes, unless the organisation was aware or should have been aware of such processing and did not take steps to remedy it. Data retention: The Principles state that personal data may only be retained for as long as it serves the processing purpose(s) for which it was originally collected /authorised by the individual (with an exception for archiving purposes in the public interest, journalism, literature, art etc). This is a marked improvement on Safe, which did not include specific obligations in relation to data retention. Wider range of enforcement mechanisms: The Privacy Shield also improves on Safe to the extent that it offers a wider range of avenues for individuals to seek redress where they are affected by an organisation s non-compliance with the Principles. These options include bringing a complaint: to the relevant organisation (the organisation must respond within 45 days); to the independent dispute resolution body designated in accordance with the Principles by the organisation; or, directly to the Federal Trade Commission. Individuals may also complain to a national Data Protection Authority who will deliver advice through an informal panel of DPAs established at Union level. Where the Privacy Shield organisation fails to comply with the DPAs advice within 25 days, the matter may be referred to the FTC or other competent US authority for enforcement action eg under Section 5 of the FTC Act (or similar statute) or to the Department of Commerce (who may remove the organisation from the Privacy Shield List). Finally, as a mechanism of last resort, individuals have the right to invoke binding arbitration. The Department of Commerce is to establish a fund supplied with annual contributions from Privacy Shield organisations to help cover the costs of the arbitration. Ombudsperson: The Commission decision acknowledges that whilst EU individuals do have certain avenues of redress where they have been the subject of unlawful surveillance for US national intelligence purposes, the available causes of actions are relatively limited, and EU citizens may have difficulty showing that they have the requisite standing (ie a legally protectable interest) to bring a case to court. In an effort to fill this gap, the US Secretary of State has committed to create a new Privacy Shield Ombudsperson, who is to be independent from the US Intelligence Community, and whose remit will include ensuring that individual complaints are properly investigated, that US laws have been complied with, or, where such laws have been violated, that the non-compliance has been remedied. Helpfully, individuals can address complaints to a competent national authority in their own country (and in their own language) and such authority will then assist the individual in formulating the request to the Ombudsperson. Also positive from a privacy perspective is that to bring a complaint before the Ombudsperson, an individual will not have to demonstrate that his/her personal data have in fact been accessed by the US government via surveillance activities. Assurances regarding access by US National Security agencies: The Privacy Shield includes written commitments by the US Government on enforcing the arrangement, including assurances from the Office of the Director of National 3 mccann fitzgerald ¼ october 2016

Intelligence and the US Department of State, on the safeguards concerning access to personal data by public authorities in the US Annual re-certification: Organisations must self re-certify their compliance with the requirements of the Privacy Shield to the Department of Commerce on (at least) an annual basis, and the Department is to monitor compliance with this requirement, and remove organisations that do not re-certify as required from the Privacy Shield List. The assessment and verification requirements were not as clear under Safe under that regime, an organisation was required to sign a statement verifying that a selfassessment had been carried out once a year. Annual Joint Review Mechanism: A major advantage of the Privacy Shield over the Safe framework is that there is an in-built Annual Joint Review mechanism, to review the functioning of the Privacy Shield on an annual basis. This annual review is to be performed by the Commission, the US Department of Commerce and the Federal Trade Commission, together with other relevant stakeholders such as Intelligence Community Representatives and the Privacy Shield Ombudsperson, as appropriate. It will also be open to EU DPAs and representatives of the Article 29 Working Party to participate in this review meeting. This means that the Privacy Shield is intended to be a living instrument, which can adapt as required to reflect future developments in privacy law. Indeed, the decision specifically states that the Commission will assess the level of protection provided by the Privacy Shield following the entry into application of the General Data Protection Regulation (in May 2018). By contrast, Safe only provided for a review to be carried out by the Commission after three years. Privacy Shield, whilst not perfect, is a viable option for transfers Whilst it is arguable that some of the criticism levied at the Privacy Shield may be justified for example, it may be difficult in reality to fully monitor the access US intelligence agencies may have to EU data transferred under the Privacy Shield - it should also be remembered that the Privacy Shield is relevant to personal data that was originally collected in accordance with EU data protection law. As such, data subjects should have been informed of any further processing of their personal data (including any processing in the US) at the time of collection, and any such processing should be compatible with the purposes for which the data were originally collected. Furthermore, any analysis of the Shield needs to take into account, from a realistic and practical standpoint, the reality that managing data transfers in today s global business environment can present significant challenges for organisations. It is also worth bearing in mind that the other currently approved exemptions to the prohibition on the transfer of personal data outside of the EEA, such as obtaining data subjects consent, entering into data transfer agreements based on the EU Commission approved Model Clauses, or putting in place binding corporate rules, can also present challenges to implementation in practice. In light of the matters considered above, it seems fair to conclude that the Privacy Shield represents a marked improvement on the Safe framework. As such, as organisations weigh up the various options around the transfer of personal data to the United States, the Privacy Shield would appear to represent a viable solution. 4 mccann fitzgerald ¼ october 2016

Further information Paul Lavery Partner, Head of Technology & Innovation Group ddi +353-1-607 1330 email paul.lavery@ mccannfitzgerald.com Lorraine Power Senior Associate, Technology & Innovation Group ddi +353-1-607 1743 email lorraine.power@ mccannfitzgerald.com Alternatively, your usual contact in McCann FitzGerald will be happy to help you further. This document is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed. Principal Office Riverside One Sir John Rogerson s Quay Dublin 2 D02 X576 Tel: +353-1-829 0000 London Tower 42 Level 38C 25 Old Broad Street London EC2N 1HQ Tel: +44-20-7621 1000 New York Tower 45 120 West 45th Street 19th Floor New York, NY 10036 Brussels 40 Square de Meeûs 1000 Brussels Tel: +32-2-740 0370 Tel: +1-646-952 6001 Email inquiries@mccannfitzgerald.com McCann FitzGerald, October 2016 www.mccannfitzgerald.com

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback