On 12th July 2016, the European Commission published a declaration regarding the EU – US Privacy Shield adopted by the Member States.

The EU US Privacy Shield will guarantee a high level of protection to persons and legal certainty to companies. As already mentioned in one of our previous articles, this mechanism substitutes the old “Safe Harbour” in the fulfilment of the requirements contained in the ruling dated 6th October 2015 by the European High Court of Justice regarding data protection.

The Privacy Shield differs from the “Safe Harbour” by imposing clear and firm obligations upon companies who deal with data and ensuring that said regulations are respected and are complied with in practice.

The new mechanism includes:

  • Strict obligations for companies which work with data:

The US Department of Commerce shall carry out periodical updates and revisions of participating companies, with the purpose of guaranteeing that they comply with the relative laws and regulations, as well as the department’s regulations.

  • Obligations regarding transparency and clear safeguards for the US Government access.

The US has given the EU written guarantees that access to personal data by public authorities for law enforcement and national security purposes is subject to clear limitations, safeguards and supervision mechanisms.

  • Redress; Efficient protection of individual rights:

Any citizen who considers that their data have been inappropriately used shall benefit from various mechanisms for remedying the situation, including action for the resolution of disputes via accessible and affordable procedures.

The available remedies or actions are:

– A direct claim to the company which handles personal data. The company should respond to the claim within 45 days.

– Alternative Dispute Resolution (ADR), which is free of charge.

– Request for action to be taken by the Data Protection Authority.

– Arbitration from the Privacy Shield Panel.

  • Annual joint review mechanism:

The purpose of the annual joint review mechanism is the monitoring of the operation of the Privacy Shield, including the commitments and guarantees of the US regarding access to data for law enforcement and national security purposes. The revision shall be carried out by the European Commission and the US Department of Commerce, associating national intelligence experts from the US and the European Data Protection authorities.

The framework of the Privacy Shield shall be published in the Federal Registry of the US, and as of that moment, the US Department of Commerce shall start to operate the Privacy Shield. Once companies have been able to revise their regulations regarding the protection of data and update the fulfilment thereof, they may self-certify before the Commerce Department as from 1st August.

At the same time, the European Commission shall publish a brief guide for citizens explaining the possible legal remedies when an individual deems that their personal data have been used without taking into account the regulations on data protection.

 

 

Mika Otomo

Vilá Abogados

 

For more information, please contact:

va@vila.es

 

22th July 2016