Czech Republic: Privacy Shield: the new framework for the transfer of personal data from the EU to the U.S.
In the wake of the ECJ decision of 6 October 2015, which put an end to the free transfer of personal data to the U.S. on the basis of the Safe Harbor program, the European Commission and the United States agreed on a new framework for the transmission of personal data from Europe to the U.S., named Privacy Shield. In other words, after the safe harbor was closed, a shield is now to be raised, so as to again allow the simplified transfer of data from the EU to the USA without first having to obtain license from the national data protection authorities, or entering into standard contractual clauses with data processors from the U.S., or adopting binding corporate rules.
On 29 February 2016, the European Union published legal texts which form the basis for implementing the new system for protecting the flow of data between the EU and the U.S. In addition, the European Commission published the draft of an ‘adequacy decision’ and the texts which will form the core of the privacy shield between the EU and the USA, such as written commitments by the U.S. government regarding the enforceability of the agreement (to be published in the U.S. Federal Register), including warranties by the Americans according to which the safeguards and restrictions regarding the access to data by public authorities are equivalent to the personal data protection standards in place in the EU.
As in the previous case of Safe Harbor so in the case of the Privacy Shield, the program is based on the principle of „self-certification”, performed by individual companies which thus get to be entered in a whitelist of U.S. businesses who may be provided with personal data from the EU under a simplified regime. In order to ensure adequate data protection, new measures are to be implemented, e.g. supervision and annual evaluation by U.S. authorities as to whether the companies participating in the information exchange comply with the required standards; in the case of non-compliance, they may be sanctioned or taken off the list. The protection of EU citizens is to be ensured e.g. by the possibility to address complaints directly to the U.S. company, by an ADR procedure, or by the establishment of an independent ombudsperson’s office at the State Department.
However, only time will tell whether Privacy Shield does really afford sufficient protection for personal data from the EU. Experts believe that the Privacy Shield is primarily a self-serving fig leaf for covering the shortcomings of the original Safe Harbor agreement. As such, it may well be that it, too, will eventually be quashed.
Source: legal texts of the European Commission on the EU-U.S. Privacy Shield