Nine months after the judicial repeal of the Safe Harbor agreements, which since 2000 had been regulating data protection relations between U.S. and E.U. companies, the European Commission has approved the E.U. Privacy Shield, or Privacy Shield USA, on July 12, 2016. – Privacy Shield, or Privacy Shield, was approved by the European Commission on July 12, 2016.
After a few months of uncertainty and information requirements from the AEPD to those companies that were required to notify their relationships with U.S. service providers, things can return to their natural course in favor of the business operation that the Third Industrial Revolution has come to establish: the intensive use of technological tools.
This period has uncovered the enormous dependence that European companies have on technology providers “made in USA” (or rather “located at USA”). Few options of similar functionality and performance exist in Europe to replace Goolgle, DropBox, Microsoft or MailChimp, to name a few of the most recurrent, which cries out for the European macroeconomic environment to focus on not being marginalized and in a submissive role with respect to technological development that other countries and/or economic confluence zones have been carrying out for some time, but this is a matter of other scopes,…
What does Privacy Shield entail?
At the time of writing this article, the publication of the new agreement in the Federal Register of the U.S. Department of Commerce is pending. On July 12, the Commission notified the Member States of the Adequacy Decision, so as of that date it is applicable to European companies, which will have to wait for the Register to be opened on the other side of the Atlantic for it to become effective.
Is it merely a name change?
The replacement of Safe Habor by Privacy Shield is effectively a change of name, since the spirit of both regulations is the same: American companies receiving personal data from European citizens, establish a declaration of part, as a self-certification, by which they undertake to implement a treatment in accordance with the principles of data protection prevailing in the European Union and the American authorities can hear complaints from European citizens regarding the effective compliance with such declarations. Of course, the Principles and their application, while Safe Harbor was in force, were being interpreted from the North American conception of privacy, which was much more lax than the continental conception.
So what changes does the new Privacy Shield agreement entail?
Counting that the scheme of operation is the same as for the Safe Habor, that is to say, the North American companies that want or have to carry out processing of personal data coming from European citizens have to make the self-declaration of adhesion to the Privacy Shield, committing themselves to fulfill the standards (that not measures) of security that any processor located in E.U. territory is obliged to do. Once this is done, the U.S. Department of Commerce will proceed to its inclusion in the “Privacy Shield List”, for its publication and control. Any European company wishing to hire the services of an American company, must previously consult this list and verify its inclusion or not. If it is not included, it must process a request for international transfer, with all the requirements established for it.
The U.S. Department of Commerce continues to be in charge of verifying the application of the measures and processes derived from compliance with the Privacy Shield. In addition, as a novelty, a joint annual review will be carried out between the European Commission and the U.S. Department of Commerce to monitor and verify compliance with the Agreement, which will be subject to constant review and, if the Commission detects any non-compliance affecting European regulations, it may adopt the necessary measures to protect the privacy of European citizens’ data.
Privacy Shield Agreements
Apart from this joint periodic review, the Privacy Shield agreements include, with respect to Safe Harbor:
- A commitment to more rigorous control by the U.S. Department of Commerce of compliance with the declarations made by the adhering companies and, therefore, greater control of effective compliance with safety standards equivalent to those of the E.U. Evidence of non-compliance should lead to the company’s removal from the list.
- Any change of application in the security processes must be communicated to the Department of Commerce.
- Data retention must be limited to the time necessary for the provision of services as data processor.
- The U.S. security services are also involved in these agreements and take part, appointing a figure called “Ombudsperson” who will be in charge of channeling complaints from European citizens whose privacy may be compromised by the actions of the U.S. security services. Likewise, the U.S. Director of Intelligence undertakes that the massive processing of personal data will only be carried out under strict conditions.
- A dispute resolution mechanism is created for anyone who may be harmed by improper processing of their data.
[cta titulo=”¿Quieres más información sobre Derecho digital?” imagen=”/wp-content/uploads/2017/07/derecho-digital-imagen_retocada.png” parrafo=”Te facilitamos las soluciones legales que necesitas para el correcto desarrollo de tu negocio y cualquier actividad empresarial o de marketing que lo requiera.” enlace=”https://www.agenciareinicia.com/contacto/” boton=”ME INTERESA”]
