Self-certification for Privacy Shield off to a start
The transfer of personal data from the Netherlands to a third country is only allowed if that specific country “ensures an adequate level of protection”. Within the EU countries are considered to ensure an adequate level of protection, because of implementation of the EU Privacy Protection Directive. This means that as long as a company is compliant with the Dutch Data Protection Act (Wbp) transferral to countries within the EU is permitted. However for countries outside the EU there is a special regime.
Transfer of data to the U.S.
Because the U.S. has not adopted comprehensive privacy legislation, the U.S. is not considered to ensure an adequate level of protection. As a result of this transferral is only approved in case of a statutory exemption, a permit, use of EU Standard Contractual Clauses or Binding Corporate Rules (BCR’s) or, of late, on the basis of Privacy Shield.
Privacy Shield
On 12 July 2016 the European Commission adopted the EU-U.S. Privacy Shield (“Privacy Shield”). Privacy Shield replaces the Safe Harbor framework which was ruled invalid by the European Court of Justice last year. The main goal of Privacy Shield is to ensure a level of protection that is similar to the level of protection within Europe. Privacy Shield, like Safe Harbor, is a self-certification program where companies publicly commit to comply with the “Privacy Principles”. From 1 August 2016 the US Department of Commerce will begin accepting certifications. A guide to self-certification by the US Department of Commerce, consisting of five steps, can be found here.
Organisations within the U.S. that are certified under Privacy Shield are assumed to provide an adequate level of protection. This means that organisations in the Netherlands are allowed to transfer personal data to these organisations without additional requirements, for the duration of certification.
What is new?
The main adjustments of Privacy Shield in respect to Safe Harbor are (1) stronger obligations for entities that process personal data and means of enforcement; (2) clear(er) safeguards and transparency requirements for access by the American government, which means indiscriminate mass surveillance is ruled out; (3) more rights to individuals and a possibility to file complaints to an appointed Ombudsperson; and (4) annual evaluation.
Criticism
As mentioned on our website earlier there was a lot of critique on the draft of Privacy Shield. The EU data protection authorities, united in the Article 29 Working Party, issued a critical opinion on 13 April 2016. After the changes that followed the Working Party continued to issue concerns regarding some aspects. These concerns are mostly about the independency of the Ombudsperson and about access to personal data by the American intelligence agencies. Even though the Working Party is positive about the stricter rules on mass surveillance, it is sceptical about whether the measures are adequate. If Privacy Shield will be sufficient to produce an adequate level of protection in practice remains to be seen. Maybe the European Court of Justice will decide on this in the future.
Stephanie Reinders Folmer