Tag Archive: Privacy Shield

ITALY – Personal data “CAN” be transferred under the Privacy Shield

Following the Schrems Judgment, there was some uncertainty as to the legal basis to transfer personal data from Italy to the US.

Consistently with other European Data Protection Authorities, also the Italian Data Protection Authority (Garante per la protezione dei dati personali, “the Italian DPA”) authorized the transfer of personal data to the US under the so-called Privacy Shield, i.e. the new agreement signed between the EU and the US which served as the alternative for the old Safe Harbour that was invalidated by the European Court of Justice (for further information see here). Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-personal-data-can-be-transferred-under-the-privacy-shield/

EU – US: Privacy Shield in Force – But For How Long?

By Dr. Thomas Jansen and Mari Martin

On July 12, 2016 the European Commission (EC) voted to adopt the final version of the EU-U.S. Privacy Shield.The Privacy Shield agreement replaces the previous agreement, Safe Harbor, which was struck down in October 2015 following revelations regarding U.S. mass surveillance.

According to EC Commissioner Jourova, the Privacy Shield, “is fundamentally different from the old ‘Safe Harbor’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice. For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.”

Implementation of the Privacy Shield is critical to the flow of over $250 billion in international trade between the U.S. and EU. After Safe Harbor was struck down, organizations were forced to undertake more complex, time consuming and costly data transfer arrangements.

Thus, industry groups have largely embraced the Member States’ decision to adopt the Privacy Shield. The Digital Europe group, which represents tech firms such as Google and Apple, welcomed the decision. “Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies,” said John Higgins, Digital Europe’s director general. TechUK, which represents 900 firms in the UK, applauded the Privacy Shield as “restoring a stable legal footing” to transatlantic data flows.

However, many expect an upcoming legal challenge to the Privacy Shield, based on the continued mass surveillance by the United States. As noted by Commissioner Jourova, the Privacy Shield is underpinned by written assurances from the U.S. will not conduct indiscriminate mass surveillance of European citizens’ data. European Data Protection Authorities (DPAs) may find these assurances insufficient. For example, European Parliament Member Jan Philipp Albrecht called it “highly dangerous” to rely on the vague promises made by the U.S. government. In its April 2016 Opinion, the Article 29 Working Party, a group of independent DPAs, strongly recommended strengthening the framework, citing concerns with loopholes through which the U.S. could continue bulk data collection. Kirsten Fiedler, managing director of European Digital Rights (EDRi), has called the Privacy Shield agreement ‘deeply flawed’.

Some in Europe are of the opinion that the Privacy Shield has not gone far enough in addressing the concerns expressed by the ECJ in its decision striking down Safe Harbor. According to Hamburg data protection officer Johannes Caspar, the Privacy Shield is not sufficient to produce an adequate level of data protection, especially as there are no legal guarantees against mass surveillance by U.S. authorities, only assurances. Likewise, Chairman of the Article 29 Working Party and French Data Protection Authority, the CNIL, Isabelle Falque-Pierrotin said she particularly regretted the absence of several principles such as the prohibition of automated decisions and lamented the fact that “US authorities have not provided sufficiently precise information to rule out a massive and indiscriminate surveillance of European citizens’ data.”


The EC presented a draft decision on the EU-U.S. Privacy Shield on February 29, 2016. In accordance with the Data Protection Directive (95/46/EC ), the Article 29 Working Party, a group of independent data protection authorities, issued an opinion on April 13, 2016. The European Parliament adopted a resolution in favor of the Privacy Shield on May 16, 2016. On July 8, 2016 EU member states voted to adopt the final version of the  EU-U.S. Privacy Shield, paving the way for the adoption of the decision by the EC.

Our Recommendations

As of now, the Privacy Shield is a valid legal basis for data transfer between the U.S. and EU. However, as explained above, the Privacy Shield may be valid only temporarily. A legal challenge appears imminent.

Importantly, the Privacy Shield, in addition to the strong possibility that its validity will soon be in question, only addresses data transfer between the U.S. and EU. The Privacy Shield is inapplicable to the data transfer involving jurisdictions other than the U.S. and EU Member States.

Thus, we continue to recommend data transfer agreements based on EU Standard Model Clauses as the best choice for data transfer outside of the EU/EEA and countries approved by the EC as providing an adequate level of data protection. In particular, any organization considering implementing Model Clause agreements for international data transfers outside the U.S. and EU Member States would be wise to include transfers involving the U.S. in the Model Clause agreement rather than relying on the Privacy Shield.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-us-privacy-shield-in-force-but-for-how-long/

EUROPE: European Data Protection Supervisor Calls for “Significant” Improvements to EU-U.S. Privacy Shield

By: Dr. Thomas Jansen and Mari Martin

On May 30, 2016, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued his Opinion on the EU-U.S. Privacy Shield, calling for “significant” improvements to the EU-U.S. Privacy Shield before it can be adopted by the European Commission (EC). According to the EDPS Opinion:

“The draft Privacy Shield may be a step in the right direction, but as currently formulated it does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision.”

The Opinion stated that in order for the Privacy Shield to be effective, it must provide adequate protection against indiscriminate surveillance by U.S. intelligence agencies and improve existing obligations regarding oversight, transparency, redress and data protection rights. In particular, the EDPS Opinion called on the EC to negotiate improvements to Privacy Shield in three main areas:

  • integrating all key EU data protection principles so that the Privacy Shield will offer essential equivalence between EU and U.S. law;
  • limiting derogations from the Privacy Shield’s provisions; and
  • improving redress and oversight mechanisms contained in the Privacy Shield.

The Opinion also urged the negotiating parties to be unhurried in finding an adequate, long term solution, as it is essential for international organizations supplying goods and services in the EU to be absolutely clear about all the rules with which they must comply.

Background Information

The EC began negotiating the Privacy Shield in October 2015, after the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Safe Harbor data transfer agreement. The Privacy Shield is intended to replace Safe Harbor. The EDPS opinion follows and supports the concerns expressed in the European Parliament’s May 25, 2016 resolution (2016/2727 (RSP)), which called for the EC to reopen negotiations with the U.S. in order to improve perceived “deficiencies” in the EU-U.S. Privacy Shield.

After the CJEU invalidated the EU-U.S. Safe Harbor Agreement, the Article 29 Working Party assured organizations and individuals wanting to transfer data from the EU to the United States that they could rely on other mechanisms provided for in the 1995 Data Protection Directive, such as standard model clauses and binding corporate rules, to continue legally exporting data.

However, these alternative mechanisms suffer from some of the same deficiencies as did Safe Harbor, in particular the lack of restrictions on access to personal data by U.S. intelligence agencies. Last week, the Irish Data Protection Commissioner announced that it would refer the question of the legality of the use of standard model clauses as a basis of data transfer to the CJEU, thus calling into question their continued use in the long term.

Practical Implications

Should the CJEU also invalidate the use of standard model clauses, which is by no means certain, approval of a final version of the Privacy Shield implementing the recommendations and addressing the concerns expressed in the Opinion of the EDPS and the Resolution of the European Parliament on the adequacy of the Privacy Shield will be critical for uninterrupted data flow between the EU and United States.

Like the recent Resolution passed by the European Parliament, the EDPS Opinion should contribute to the essential clarity for international organizations supplying goods and services in the EU regarding the precise rules with which they must comply in order to lawfully transfer personal data between the U.S. and EU.



Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-european-data-protection-supervisor-calls-for-significant-improvements-to-eu-u-s-privacy-shield/

EUROPE: European Parliament Passes Resolution Calling for Improvement of EU-U.S. Privacy Shield

By: Dr. Thomas Jansen and Mari Martin

On May 25, 2016, the European Parliament (EP) passed a non-binding resolution calling for the European Commission (EC) to reopen negotiations with the United States in order to improve perceived “deficiencies” in the EU-U.S. Privacy Shield.

The resolution requested improvements beyond the agreement reached between U.S. and EU negotiators in February. On February 29, 2016, the EC published a draft decision that approved the Privacy Shield arrangement as adequate. The Privacy Shield is intended to replace the EU-U.S. Safe Harbor Framework, which the Court of Justice of the European Union invalidated in October 2015.

The resolution, which the EP adopted in a 501-119 vote with 31 abstentions, largely supports criticisms in the April 13, 2016 Opinion issued by the Article 29 Working Party. Although the resolution acknowledged that the Privacy Shield contains “substantial improvements” compared to the Safe Harbor arrangement, it also called on the EC to “continue the dialogue with the U.S. administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.”

The “deficiencies” about which the Members of the European Parliament (MEPs) voiced concerns include:

  • the lack of restriction on access to European citizens’ personal data by U.S. intelligence agencies and the possibility of their collecting bulk data;
  • the proposed U.S. Ombudsman, created to review the complaints of European citizens, which the resolution called neither“sufficiently independent” nor “vested with adequate powers to effectively exercise and enforce its duty”; and
  • the complexity of the redress mechanism, which the resolution requested the EC and U.S. make more “user-friendly and effective.”

Further, the resolution called on the EC to:

  • fully implement the recommendations in the April 13, 2016 Opinion of the Article 29 Data Protection Working Party;
  • conduct robust periodic reviews of its decision that the protection provided by the Privacy Shield is adequate, particularly in the light of the new General Data Protection Regulation, which will go into effect in 2018; and
  • continue its dialogue with the U.S. to negotiate further improvements to the Privacy Shield.

The Article 31 Committee responsible for approving the Privacy Shield will take the EP’s resolution into consideration before voting on its adequacy. The Committee, which is composed of Member State representatives and chaired by the EC, is still deliberating regarding the Privacy Shield. The EC is expected to present to the Article 31 Committee a revised adequacy decision at the beginning of June. A vote is intended by the end of the month, and the EC aims to conclude approval of the Privacy Shield by mid-July.

Practical Implications

Invalidation of the EU-U.S. Safe Harbor Framework created considerable uncertainty for both businesses and consumers regarding transatlantic data transfer. Speaking after the European Parliament adopted its resolution, MEP Timothy Kirkhope, a member of the UK Conservative Party, stated:

“The Privacy Shield needs some clarifications as to how it will work in practice, which the Commission have said it is pursuing, but getting the Privacy Shield up and running swiftly is essential for businesses operating across the Atlantic. Businesses and consumers were left in legal limbo and uncertainty when Safe Harbor was rejected. It is about time that the businesses and their clients have legal certainty.”

The resolution should contribute to increased clarity for both businesses and individuals regarding data transfer between the EU and United States.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-european-parliament-passes-resolution-calling-for-improvement-of-eu-u-s-privacy-shield/

EUROPE – US: EU Data Protection Authorities voice strong concerns about Privacy Shield

EU Data Protection Authorities demand improvements before EU – US transfer mechanism will be approved.

The Article 29 Working Party (“WP29“), which comprises the national data protection authorities of the EU member states, issued a statement on Wednesday strongly criticising the draft “EU – US Privacy Shield” proposal.  Privacy Shield is intended to be the replacement to the defunct Safe Harbor scheme, which allowed EU companies to legally export personal data to the US.

Whilst WP29 accepts that, in its current form, Privacy Shield represents a significant improvement over Safe Harbor, it believes it does not go far enough in offering EU citizens an adequate level of protection for their personal information. Crucially, WP29 considers that Privacy Shield does not sufficiently address the massive and indiscriminate collection of personal data by the US authorities which was the precipitating factor in the Schrems case which brought down Safe Harbor.

In summary, the specific criticisms voiced by WP29 are:

  • Lack of clarity – Privacy Shield is comprised of various documents and annexes, making information hard to find and at times inconsistent;
  • Lack of key data protection principles – some of the central principles of European data protection law, such as purpose limitation and data retention, are not sufficiently covered by the proposal;
  • Onward transfers – the proposal does not ensure that the same standards are applied by third country recipients who receive EU personal data from a Privacy Shield entity;
  • Complex redress mechanism – EU citizens may not be able to effectively defend their rights in the face of a complex recourse mechanism which for many will be in a different language;
  • Indiscriminate data collection – there is insufficient detail about how the massive and indiscriminate surveillance of individuals by US authorities will be curtailed. In WP29’s view, such surveillance can never be considered proportionate or necessary;
  • Ombudsperson not independent – WP29 welcomes the creation of an Ombudsperson role to handle and solve complaints raised by EU citizens. However, it is concerned that this role will not be sufficiently independent from US authorities.

The statement also concluded that, even if Privacy Shield is approved as an adequate mechanism for data transfers under current legislation, a review of its efficacy will be needed following the entry into application of the General Data Protection Regulation (“GDPR“) in 2018.  This appears to be a strong hint from WP29 that in its current form, Privacy Shield would almost certainly not be GDPR compliant.

As the Privacy Shield proposal is still being finalized, WP29’s assessment is not fatal. However, it is a clear signal to the EU Commission and to their partners in the US that significant improvements are needed if the scheme is to earn the adequacy decision which will make it a legal mechanism for data transfers.

In the meantime, WP29 has repeatedly stated that Binding Corporate Rules and the EC standard contractual clauses (or ‘model clauses’) can be relied upon for data transfers, and represent a safe alternative for former Safe Harbor companies. Although both of these schemes will be reviewed by WP29 in due course, it will not make any decision about them until after Privacy Shield has been dealt with.

If you need any assistance with the fast evolving area of EU – US data transfers, please contact a member of our global Data Protection, Privacy and Security team.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-us-eu-data-protection-authorities-voice-strong-concerns-about-privacy-shield/


DLA Piper Shared Insights at Bloomberg Law’s 2016 Outlook on Privacy and Data Security in Washington DC

On February 3rd, the day after announcement of the US-EU Privacy Shield provisional agreement, DLA Piper’s Carol Umhoefer, Jim Halpert and Giangi Olivi discussed EU data protection developments at Bloomberg Law’s 2016 Outlook on Privacy and Data Security, in Washington DC, following a presentation by Shannon Coe, privacy leader at the U.S. Department of Commerce’s International Trade Administration, that summarized the terms of the provisional agreement. Here is a short analysis of the issues they discussed. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/analysis-what-to-expect-from-the-privacy-shield-and-the-general-data-protection-regulation-gdpr/