EU–U.S. Privacy Shield adequacy decision (“Privacy Shield”) adopted on 12 July 2016, assessed by EDPB in report January 22, 2019

 in IT-recht, Privacy

In this report of January 22, 2019 The EDPB (European Data Protection Board) assessed once again whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective and the EDPB assessed the robustness of its adequacy decision and its practical implementation.

Efforts made by U.S.

In this report he EDPB welcomes the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts made by the U.S Government by publishing a number of important documents and the appointment of a new Chair as well as of two new members of the PCLOB, meaning that the PCLOB has reached the required quorum for its functioning. However, the EDPB still has a number of significant concerns that need to be addressed by both the Commission and the U.S. authorities.

No substantial checks

The absence of substantial checks remains a concern of the EDPB. Other areas that require further attention are the application of the Privacy Shield requirements regarding onward transfers, HR Data and processors, as well as the recertification process. In addition, the EDPB recalls the remaining issues with respect to certain elements of the commercial part of the Privacy Shield adequacy decision as already raised in the WP 29’s Opinion 01/2016.

Still waiting for a permanent Ombudperson with sufficient power

On the Ombudsperson mechanism, the EDPB is still awaiting the appointment of a permanent independent Ombudsperson. Given the elements provided, the EDPB is not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non- compliance, and it can thus not state that the Ombudsperson can be considered an “effective remedy before a tribunal” in the meaning of Art. 47 of the EU Charter of Fundamental Rights. The EDPB recalls that the same concerns will be addressed by the European Court of Justice in cases that are already pending before the Court.

Safe Harbour

On October 6, 2015 The European Court declared the Safe-Harbour treaty invalid in the case Schrem-Facebook, after the Edward Snowden revelations. Safe Harbor was a very popular transfer mechanism that more than 4,000 American companies relied on to legitimize their transatlantic data transfers. From its inception, however, some European DPAs consistently criticized Safe Harbor for not offering true “adequacy,” especially for transfers to data processors and onward transfers. As a consequence of this Court decision , thousands of businesses rushed to identify alternatives to transfer personal data to the U.S., with most turning to EU model clauses.

Lets hope that this will not happen with the Privacy Shield, which is in fact still in negotiation. The only alternative for processing personal data outside the EU would then have to be based on expensive Corporate Binding Rules (GDP 46, 2b), or the Model clauses of the European Commission (GDPR 46, 2c)which needs to be assessed as well not being yet completely GDPR proof. The model clauses are considered adequate for use under the GDPR for the time being but are being reviewed. The GDPR( Art. 46,5) expressly provides however that model clauses adopted under the Directive will continue in force under the GDPR until amended, replaced, or repealed. Practically this means that companies that have model clauses in place that predate the GDPR may rely on these clauses now the GDPR is in force as well. An other possibility are standard data protection clauses adopted by a supervisory authority and approved by the Commission (GDPR 46, 2 d), or an approved code of conduct and certification mechanism (GDPR 46, 2 e and f), of which I have not seen any example yet.

Recente berichten
  • 11 mei 2021

    INPLP article May 11, 2021

    Wouter Huisman
    Bob Cordemeyer
    Fine of €475,000 for Booking.com reporting data breach 22 days to late. According to a press release of April 6 the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on Booking.com because the company took too long to report a data breach to the DPA into compliance with Article 33 GDPR.
    Lees verder
  • 13 april 2021

    Het doolhof van de wet- en regelgeving op het gebied van de zieke werknemer: deel 1.

    Marion Hagenaars
    Wie bepaalt: de bedrijfsarts of het UWV? Verzuimbegeleiding en re-integratie De werkgever is verantwoordelijk voor de verzuimbegeleiding en re-integratie van de zieke werknemer. De werknemer is verplicht om aan zijn re-integratie mee te werken. In de Arbeidsomstandighedenwet is bepaald dat de werkgever zich hierbij moet laten bijstaan door een gecertificeerde arbodienst of bevoegde bedrijfsarts. De
    Lees verder
  • 17 februari 2021

    440,000 EUR fine for Dutch hospital OLVG for access by unauthorized personnel to medical records

    Bob Cordemeyer
    On 11 February 2021 the Dutch Data Protection Authority imposed a fine of EUR 440.000, = on Amsterdam hospital OLVG for having no sufficient measures in place to prevent access to medical records by unauthorized personnel and therefore infringing article 32 (1) GDPR. An investigation was started after the DPA received several complaints of potential violations.
    Lees verder

Plaats een reactie

Top