Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

Privacy Shield Revealed, What Changes?

March 10, 2016
4 minRead time
invalidation standard contractual clauses
Share This Article
Share Post

The publication of the details of the Privacy Shield that will replace the Safe Habor for the transfer of personal data to the United States sets a higher bar of compliance.ย 

How the Safe Harbor issues have been addressed?

The issue of the Privacy Shield is consequential to the invalidation of the Safe Harbor programย that previously was one of the available options allowing transfers of personal data to the US. In order to address the issues raised in the decision of the European Court of Justice, the European Commission issued a draft decision where it held that

  1. The US ensures an adequate level of protection to personal data in relation to US companies self-certified under the Privacy Shield;
  2. Clear limitations on the access and use by US authorities of personal data have been put in place;
  3. An annual joint review of the arrangement by EU and US authorities will be performed; and
  4. Stronger remedies will be granted to EU individuals whose personal data has been misused, including the Ombudsperson that will assist complaining EU individuals.

Similar privacy principles, but more detailed obligations

The Privacy Shield contains the same principles and self-certification requirements provided by the Safe Harbor, but a much higher level of detail as to the applicable obligations has been adopted. And for instance the “notice principle” setting out the information to be disclosed to individuals on the processing of their personal data now contains 13 categories of information! This is not new for companies operating in Italy as the Italian Privacy Code is very detailed on the amount of information to be provided to individuals as to the processing of their personal data.

How compliance will be ensured?

The Privacy Shield provides for an increased scrutiny by the US Department of Commerce on the approval of the self-certification by US companies and on the validation of the information provided as well as an increased monitoring on the self-certified entities by

  • Running compliance audits on the program generally and on the participating organizations;
  • Obliging companies that committed a “persistent failure to comply” with the Privacy Shield principles to delete the data obtained under the program;
  • Cooperating with European data protection authorities;
  • Publishing on its website the news on the enforcement of Privacy Shield violations;
  • Checking the activity of entities formerly enrolled with the program making sure that they continue complying the program for the personal data collected under its principles of delete the data; and
  • Developing an arbitration procedure for complaining individuals.

What happens now?

Once the decision of the European Commission (which is still a draft) is finalized, the full Privacy Shield will be adopted and will become effective in the US shortly thereafter. However, both US companies that were previously Safe Harbor certified and those that were not shall build or at least update their privacy compliance programs in order to be ready when the Privacy Shield is adopted. It is not certain that European Data Protection Authorities will agree with the Privacy Shield, but there is a strong political support to make sure that this happens.

@GiulioCoraggio

Follow me on LinkedIn โ€“ย Facebook Page โ€“ย Twitter โ€“ย Telegram โ€“ YouTubeย โ€“ Google+

(Visited 1 times, 1 visits today)
Tags:
0LikesShare Post