News and events

EU-U.S. Privacy Shield taking form


Updated 13.6.2016

On 29 February 2016, the European Commission issued the legal texts intended to put in place the so called EU-U.S. Privacy Shield, which would replace the previously repealed Safe Harbor framework and enable transatlantic data flows. The Privacy Shield is based on a system of self-certification by which U.S. companies and organizations commit to certain privacy principles.

The purpose of the Privacy Shield is to ensure adequate protection of Europeans’ personal data when transferred to the U.S, which would be achieved through strong obligations on companies and robust enforcement. Said obligations would, for instance, set stricter liability rules for sub-processing activities. Companies’ commitments under the Privacy Shield would be legally binding and enforceable.

U.S. public authorities’ access to personal data for law enforcement, national security and other public interest purposes would be subject to clear limitations, safeguards and oversight mechanisms. An Ombudsperson set to follow-up complaints and enquiries related to access and processing for national security purposes would be established, as well as a number of other redress possibilities, such as a cost-free alternative dispute resolution body. A Privacy Shield Panel, which would be able to take binding and enforceable decisions against any company committed to the Privacy Shield, would also be established.

The Privacy Shield would be subject to an annual joint review mechanism under which the European Commission and the U.S. Department of Commerce would review the functioning of the Shield together with national intelligence experts from the U.S. and EU Data Protection Authorities, as well as the Ombudsman.

The final decision regarding the Privacy Shield is yet to be made. The Article 29 Working Party consisting of EU Data Protection Authorities has conducted its assessment of the proposed Privacy Shield and published its statement in April 2016. The Working Party welcomed the improvements brought by the Privacy Shield compared to the Safe Harbour framework, but pointed out that the new mechanism struggles with an overall lack of clarity, and that a review of the Privacy Shield will have to take place after new General Data Protection Regulation comes into force to make it compliant with the new requirements. Moreover, the Working Party found that certain key concepts of European law is not reflected in the documentation, such as the application of the purpose limitation principle to the data processing (personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes). The Working Party also pointed out that there is not a sufficient U.S. representation to exclude massive and indiscriminate collection of personal data originating from the EU, and expressed its concern that the new Ombudsperson is not sufficiently independent and does not have enough power to exercise its duty effectively. The Working Party urges the European Commission to resolve these concerns and provide clarification to ensure that the protection offered  by  the  Privacy  Shield  is  essentially  equivalent  to  that  of  the EU.

Privacy Shield is now in use as of 1.8.2016. Read here for more information in Finnish.

For further information, please contact:
Anna Liinamaa

More news

Back to News and Events »