EU–U.S. Privacy Shield adequacy decision (“Privacy Shield”) adopted on 12 July 2016, assessed by EDPB in report January 22, 2019

 in IT-recht, Privacy

In this report of January 22, 2019 The EDPB (European Data Protection Board) assessed once again whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective and the EDPB assessed the robustness of its adequacy decision and its practical implementation.

Efforts made by U.S.

In this report he EDPB welcomes the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts made by the U.S Government by publishing a number of important documents and the appointment of a new Chair as well as of two new members of the PCLOB, meaning that the PCLOB has reached the required quorum for its functioning. However, the EDPB still has a number of significant concerns that need to be addressed by both the Commission and the U.S. authorities.

No substantial checks

The absence of substantial checks remains a concern of the EDPB. Other areas that require further attention are the application of the Privacy Shield requirements regarding onward transfers, HR Data and processors, as well as the recertification process. In addition, the EDPB recalls the remaining issues with respect to certain elements of the commercial part of the Privacy Shield adequacy decision as already raised in the WP 29’s Opinion 01/2016.

Still waiting for a permanent Ombudperson with sufficient power

On the Ombudsperson mechanism, the EDPB is still awaiting the appointment of a permanent independent Ombudsperson. Given the elements provided, the EDPB is not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non- compliance, and it can thus not state that the Ombudsperson can be considered an “effective remedy before a tribunal” in the meaning of Art. 47 of the EU Charter of Fundamental Rights. The EDPB recalls that the same concerns will be addressed by the European Court of Justice in cases that are already pending before the Court.

Safe Harbour

On October 6, 2015 The European Court declared the Safe-Harbour treaty invalid in the case Schrem-Facebook, after the Edward Snowden revelations. Safe Harbor was a very popular transfer mechanism that more than 4,000 American companies relied on to legitimize their transatlantic data transfers. From its inception, however, some European DPAs consistently criticized Safe Harbor for not offering true “adequacy,” especially for transfers to data processors and onward transfers. As a consequence of this Court decision , thousands of businesses rushed to identify alternatives to transfer personal data to the U.S., with most turning to EU model clauses.

Lets hope that this will not happen with the Privacy Shield, which is in fact still in negotiation. The only alternative for processing personal data outside the EU would then have to be based on expensive Corporate Binding Rules (GDP 46, 2b), or the Model clauses of the European Commission (GDPR 46, 2c)which needs to be assessed as well not being yet completely GDPR proof. The model clauses are considered adequate for use under the GDPR for the time being but are being reviewed. The GDPR( Art. 46,5) expressly provides however that model clauses adopted under the Directive will continue in force under the GDPR until amended, replaced, or repealed. Practically this means that companies that have model clauses in place that predate the GDPR may rely on these clauses now the GDPR is in force as well. An other possibility are standard data protection clauses adopted by a supervisory authority and approved by the Commission (GDPR 46, 2 d), or an approved code of conduct and certification mechanism (GDPR 46, 2 e and f), of which I have not seen any example yet.

Recente berichten
  • 8 juni 2022

    Vakantiedagen tijdens ziekte, een hoofdpijndossier

    Marion Hagenaars
    “Op vakantie naar Ibiza als je ziek bent, zonder dat deze dagen worden afgeboekt, is dat niet gek?”, werd mij de week gevraagd. Met de zomervakantie in zicht een actueel vraagstuk.  Vakantiedagen, zo eenvoudig is het niet Vakantiedagen, het lijkt zo eenvoudig: je bouwt ze eerst op en daarna neem je ze op. Maar de
    Lees verder
  • 25 mei 2022

    Besmette persoonsgegevens – De Ziggo soap

    Sil Kingma
    Klanten van Ziggo ontvingen afgelopen week een email met de aankondiging dat zij de prijs van haar abonnement met 3,50 Euro gaat verlagen. Sympathiek zou je denken. Er bleek echter een addertje onder het gras te zitten.  In diezelfde email kondigde Ziggo aan haar algemene voorwaarden per 1 juli as eenzijdig aan te passen. Bij
    Lees verder
  • 16 mei 2022

    AP voert cumulatieve boetebevoegdheid maximaal door

    Sil Kingma
    Het is voor het eerst de geschiedenis dat de Autoriteit Persoonsgegevens in een besluit een zestal overtredingen van de AVG constateert. Alle overtredingen hebben betrekking op het gebruik en de beveiliging door de Belastingdienst van haar applicatie Fraude Signalering Voorziening (FSV). FSV was een applicatie waarin signalen werden opgenomen over vastgestelde fraude en signalen die konden wijzen
    Lees verder

Plaats een reactie

Top