EU–U.S. Privacy Shield adequacy decision (“Privacy Shield”) adopted on 12 July 2016, assessed by EDPB in report January 22, 2019

 in IT-recht, Privacy

In this report of January 22, 2019 The EDPB (European Data Protection Board) assessed once again whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective and the EDPB assessed the robustness of its adequacy decision and its practical implementation.

Efforts made by U.S.

In this report he EDPB welcomes the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts made by the U.S Government by publishing a number of important documents and the appointment of a new Chair as well as of two new members of the PCLOB, meaning that the PCLOB has reached the required quorum for its functioning. However, the EDPB still has a number of significant concerns that need to be addressed by both the Commission and the U.S. authorities.

No substantial checks

The absence of substantial checks remains a concern of the EDPB. Other areas that require further attention are the application of the Privacy Shield requirements regarding onward transfers, HR Data and processors, as well as the recertification process. In addition, the EDPB recalls the remaining issues with respect to certain elements of the commercial part of the Privacy Shield adequacy decision as already raised in the WP 29’s Opinion 01/2016.

Still waiting for a permanent Ombudperson with sufficient power

On the Ombudsperson mechanism, the EDPB is still awaiting the appointment of a permanent independent Ombudsperson. Given the elements provided, the EDPB is not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non- compliance, and it can thus not state that the Ombudsperson can be considered an “effective remedy before a tribunal” in the meaning of Art. 47 of the EU Charter of Fundamental Rights. The EDPB recalls that the same concerns will be addressed by the European Court of Justice in cases that are already pending before the Court.

Safe Harbour

On October 6, 2015 The European Court declared the Safe-Harbour treaty invalid in the case Schrem-Facebook, after the Edward Snowden revelations. Safe Harbor was a very popular transfer mechanism that more than 4,000 American companies relied on to legitimize their transatlantic data transfers. From its inception, however, some European DPAs consistently criticized Safe Harbor for not offering true “adequacy,” especially for transfers to data processors and onward transfers. As a consequence of this Court decision , thousands of businesses rushed to identify alternatives to transfer personal data to the U.S., with most turning to EU model clauses.

Lets hope that this will not happen with the Privacy Shield, which is in fact still in negotiation. The only alternative for processing personal data outside the EU would then have to be based on expensive Corporate Binding Rules (GDP 46, 2b), or the Model clauses of the European Commission (GDPR 46, 2c)which needs to be assessed as well not being yet completely GDPR proof. The model clauses are considered adequate for use under the GDPR for the time being but are being reviewed. The GDPR( Art. 46,5) expressly provides however that model clauses adopted under the Directive will continue in force under the GDPR until amended, replaced, or repealed. Practically this means that companies that have model clauses in place that predate the GDPR may rely on these clauses now the GDPR is in force as well. An other possibility are standard data protection clauses adopted by a supervisory authority and approved by the Commission (GDPR 46, 2 d), or an approved code of conduct and certification mechanism (GDPR 46, 2 e and f), of which I have not seen any example yet.

Recente berichten
  • 14 september 2022

    Krappe arbeidsmarkt? Wees scherp op uw concurrentiebeding!

    Mirjam Scheper
    In de huidige krappe arbeidsmarkt wordt een concurrentiebeding steeds breder ingezet, veelal in de vorm van een standaardclausule. In de praktijk zie ik dat gebruik van een concurrentiebeding – mede hierdoor – vaak zijn doel voorbij schiet. Dat kan leiden tot onnodige discussies, procedures en kosten.
    Lees verder
  • 14 september 2022

    Actualiteiten arbeidsrecht voor HR-professionals en bedrijfsjuristen donderdag 3 november 2022

    Marion Hagenaars
    Mirjam Scheper
    Krapte op de arbeidsmarkt, Wet transparante en voorspelbare arbeidsvoorwaarden, hybride werken. De arbeidsmarkt is volop in beweging. Wat zijn de gevolgen? Hoe beweegt de arbeidsmarkt zich en hoe beweegt u daarin mee als HR-professional of bedrijfsjurist? Blijf aangehaakt bij het dynamische rechtsgebied dat het arbeidsrecht nu eenmaal is!
    Lees verder
  • 4 juli 2022

    Wet transparante en voorspelbare arbeidsvoorwaarden

    Mirjam Scheper
    De Eerste Kamer heeft op 21 juni 2022 het wetsvoorstel Wet transparante en voorspelbare arbeidsvoorwaarden aanvaard. Het wetsvoorstel implementeert de gelijknamige EU-richtlijn en treedt 1 augustus 2022 in werking. De richtlijn heeft als doel de inhoud van het werk vooraf transparanter en beter voorspelbaar te maken. De belangrijkste wijzigingen – die ik hieronder op hoofdlijnen
    Lees verder

Plaats een reactie

Top