EU–U.S. Privacy Shield adequacy decision (“Privacy Shield”) adopted on 12 July 2016, assessed by EDPB in report January 22, 2019

 in IT-recht, Privacy

In this report of January 22, 2019 The EDPB (European Data Protection Board) assessed once again whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective and the EDPB assessed the robustness of its adequacy decision and its practical implementation.

Efforts made by U.S.

In this report he EDPB welcomes the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts made by the U.S Government by publishing a number of important documents and the appointment of a new Chair as well as of two new members of the PCLOB, meaning that the PCLOB has reached the required quorum for its functioning. However, the EDPB still has a number of significant concerns that need to be addressed by both the Commission and the U.S. authorities.

No substantial checks

The absence of substantial checks remains a concern of the EDPB. Other areas that require further attention are the application of the Privacy Shield requirements regarding onward transfers, HR Data and processors, as well as the recertification process. In addition, the EDPB recalls the remaining issues with respect to certain elements of the commercial part of the Privacy Shield adequacy decision as already raised in the WP 29’s Opinion 01/2016.

Still waiting for a permanent Ombudperson with sufficient power

On the Ombudsperson mechanism, the EDPB is still awaiting the appointment of a permanent independent Ombudsperson. Given the elements provided, the EDPB is not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non- compliance, and it can thus not state that the Ombudsperson can be considered an “effective remedy before a tribunal” in the meaning of Art. 47 of the EU Charter of Fundamental Rights. The EDPB recalls that the same concerns will be addressed by the European Court of Justice in cases that are already pending before the Court.

Safe Harbour

On October 6, 2015 The European Court declared the Safe-Harbour treaty invalid in the case Schrem-Facebook, after the Edward Snowden revelations. Safe Harbor was a very popular transfer mechanism that more than 4,000 American companies relied on to legitimize their transatlantic data transfers. From its inception, however, some European DPAs consistently criticized Safe Harbor for not offering true “adequacy,” especially for transfers to data processors and onward transfers. As a consequence of this Court decision , thousands of businesses rushed to identify alternatives to transfer personal data to the U.S., with most turning to EU model clauses.

Lets hope that this will not happen with the Privacy Shield, which is in fact still in negotiation. The only alternative for processing personal data outside the EU would then have to be based on expensive Corporate Binding Rules (GDP 46, 2b), or the Model clauses of the European Commission (GDPR 46, 2c)which needs to be assessed as well not being yet completely GDPR proof. The model clauses are considered adequate for use under the GDPR for the time being but are being reviewed. The GDPR( Art. 46,5) expressly provides however that model clauses adopted under the Directive will continue in force under the GDPR until amended, replaced, or repealed. Practically this means that companies that have model clauses in place that predate the GDPR may rely on these clauses now the GDPR is in force as well. An other possibility are standard data protection clauses adopted by a supervisory authority and approved by the Commission (GDPR 46, 2 d), or an approved code of conduct and certification mechanism (GDPR 46, 2 e and f), of which I have not seen any example yet.

Recente berichten
  • 31 oktober 2019

    Uw ziekmelding wordt niet geaccepteerd! Of toch wel?

    Marion Hagenaars
    Lastige gesprekken met werknemers. Over functioneren, samenwerkingsproblemen, houding en gedrag. En dan – u had het al voorzien – een ziekmelding. Soms met een enkel WhatsApp bericht. U bent geen arts, maar bij een ziekmelding in dergelijke omstandigheden plaatst u vraagtekens. Er lijkt immers meer sprake te zijn van een “vlucht in ziekte”. U besluit
    Lees verder
  • 4 oktober 2019

    Storing cookies requires internet users’ active granular (specific) consent

    Bob Cordemeyer
    A pre-ticked checkbox is therefore insufficient Answering questions of The Bundesgerichtshof (Federal Court of Justice, Germany)  to interpret the EU law on the protection of electronic communications privacy.2 the EU Court of Justice decides on October 1, 2019 that the consent which a website user must give to the storage of and access to cookies
    Lees verder
  • 30 september 2019

    Uitgeleende werknemer, een vrije vogel?

    Marion Hagenaars
    U heeft met uw werknemers een relatiebeding gesloten. En met uw opdrachtgevers een verbod op indiensttreding. Met boetes op overtreding. U vreest een overstap van uw werknemers naar een opdrachtgever dus niet. En mocht het onverhoopt toch gebeuren, dan bent u in ieder geval zeker van een financiële compensatie. Of toch niet?!
    Lees verder

Plaats een reactie

Top