New rules applicable to transatlantic data flows

The Privacy Shield becomes a reality

Legal Alert (17/2016)

On 12 July 2016, the European Commission gave a green light to the new rules governing the transfer of personal data from the EU to the USA. The new Privacy Shield package will substitute the earlier Safe Harbor, which is no longer an effective basis for transatlantic data flows under the judgment of the European Court of Justice of 5 October 2015 in the Schrems case.

What is the Privacy Shield?

The Privacy Shield has been adopted by a decision of the European Commission. Under Directive 95/46/EC, the European Commission may conclude that a third country ensures an adequate level of personal data protection based on its national laws or international obligations. In such cases, as a rule, transfers of personal data to a third country will not require the fulfilment of any additional obligations.

The Privacy Shield comprises the data protection rules agreed by the EU and the USA as well as obligations of the authorities responsible in the USA for personal data processing. The said documents are annexes to the aforementioned decision of the European Commission.

Key assumptions

The objective of the Privacy Shield is to enhance the effectiveness of privacy protection, in particular in the following areas:

  1. transparency of the rules applicable to data processing by data controllers/data processors in the USA:
    The Privacy Shield will operate on the basis of self-certification, i.e. U.S. entities will file a statement of compliance with the personal data processing rules established under the new agreement. The said entities will also be obliged to publish their privacy policies and disclose specific information concerning data processing to natural persons;
  2. effective supervision over data processing in the USA: Departament Handlu USA prowadzić będzie rejestr podmiotów, które przystąpiły do Privacy Shield. Przeprowadzane będą regularne kontrole zgodności przetwarzania danych, a podmioty naruszające zasady ustalone nowym porozumieniem, będą mogły zostać wykreślone z rejestru.
  3. introduction of a free-of-charge alternative dispute resolution mechanism:
    Each U.S. data processor will have to implement an internal complaint handling procedure. Natural persons will also be able to use a free-of-charge ADR mechanism or ask the supervisory authority in their country for assistance. If a dispute may not be resolved amicably in an effective way, an arbitration mechanism may be used.
  4. a limitation on bulk data processing by the U.S. government authorities:
    Personal data may be monitored by the government authorities only in exceptional circumstances, provided that it is necessary and proportional. Disputes which may arise in this regard will be resolved by an Ombudsman appointed especially for that purpose.
  5. introduction of the annual review of the Privacy Shield mechanism:
    The European Commission and the U.S. Department of Commerce will review the effectiveness of the Privacy Shield on an annual basis (the first review is to focus mainly on automated data processing). The review report may indicate areas for further improvement and negotiations.

The Privacy Shield – key responsibilities of data controllers and data processors

  1. the right to information: 
    Natural persons will have to be informed of the type of data being processed, the purpose of processing, the right to access their data, the terms of further data transfers and the responsibility for ensuring security of personal data processing.
    Data processors will also be obliged to publish their privacy policies.
  2. the obligation to ensure data integrity and to limit the purpose of processing:
    Entities should process only such data as may be necessary considering the purpose of such processing, over a period when such data are useful for the accomplishment of a particular purpose. The data being processed have to be complete and up-to-date.
  3. the right of choice:
    If a new purpose of processing differs from the original one, a natural person should be able to object to their personal data being processed (on the opt-out basis). Furthermore, a natural person should have the ability to opt out from their personal data being processed for marketing purposes at any time.
  4. ensuring data processing security: 
    Data processors have to introduce appropriate safeguards depending on such factors as the level of risk relating to data processing and the type of data being processed.
  5. ensuring access to data:
    Natural persons will have the right to receive a confirmation of whether their personal data are being processed by the entity and they will have the right to demand that such data be corrected or deleted where they are not processed in compliance with the Privacy Shield.
    Special rules have been adopted with respect to automated data processing (e.g. profiling), which serves as the basis for case-by-case decisions concerning each natural person (e.g. credit decisions).
  6. enforcement of data processing rules and liability:
    Data processors have to implement internal mechanisms to ensure that the rules of the Privacy Shield are observed and verify whether their policies comply with the new data processing mechanism. The latter objective may be accomplished in two ways: (i) through an internal assessment system combined with employee training; or (ii) through external audit.
    Additionally, the Privacy Shield imposes the obligation to implement an internal complaint handling mechanism.
  7. further data processing:
    Data may be transferred to further entities only under an agreement which will guarantee the same level of protection as the Privacy Shield and only for a specific purpose. Natural persons will have to be informed of the entity which their data is to be transferred to and of the purpose of such a transfer. They will also be able to object to such a transfer (on the opt-out basis) and transfers of sensitive data will only be possible if a relevant consent has been granted by the data subject (on the opt-out basis).
Did you find this useful?