1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Privacy Shield gets approval: certainty at last?

The European Commission yesterday issued an adequacy decision adopting the EU-US Privacy Shield, which replaces Safe Harbor as a framework for protecting European data transferred to the United States. Adoption had been expected since the European Commission announced on Friday that Member States had given their “strong support” to the new framework (although we note that Austria, Bulgaria, Croatia and Slovenia abstained from voting).

Are there any final changes?

There have been some tweaks to the Privacy Shield regime since the draft adequacy decision was issued in February. These include:

  • additional clarifications on the bulk collection of data. In particular, the Office of the Director of National Intelligence has clarified that the bulk collection of EU data can only be used under specific preconditions and must be “as targeted and focused” as possible;
  • introducing more explicit obligations on companies as regards limits on retention and collection of data. Specifically, companies now have to delete data that no longer serves the purpose for which it was collected; and
  • strengthening the Ombudsperson mechanism. In its press release, the Commission makes clear that the Ombudsperson is independent from the US intelligence services.

What were the criticisms?

The changes are intended to address a critique of Privacy Shield issued in April by European data protection regulators (aka the Article 29 Working Party), which concluded that Privacy  Shield – while a huge improvement on Safe Harbor – still did not meet EU privacy standards. This was largely because:

  • massive and indiscriminate data collection by American authorities was still not fully excluded;
  • the Privacy Shield lacked an explicit data retention principle; and
  • the powers and independent position of the Ombudsperson (who deals with national security-related complaints) were not made clear.

What does the future look like for Privacy Shield?

The Commission’s tweaks will address the A29WP’s concerns to some degree, but that mightn’t be enough to keep the privacy wolves at bay.

Privacy Shield may well be subject to a future challenge on the basis of “equivalence” with EU law, and it will almost certainly undergo further A29WP review. Potential issues remain, such as the fact that Privacy Shield (like Safe Harbor) is largely self-certified. Indeed, one of the main privacy advocates in the European Parliament (MEP Jan Philipp Albrecht) commented that the European Commission has “just signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights”.  Max Schrems has said he will challenge it.

In the medium term, inconsistencies between Privacy Shield and the upcoming GDPR requirements could also limit Privacy Shield’s shelf life. Therefore, the climate seems ripe for challenge. Max Schrems has also sought to challenge model clauses in an application by the Irish DPA to the Irish High Court.

Privacy observers will also be keeping an eye on how Brexit plays out: will the UK find itself negotiating its own form of Privacy Shield to ensure EU adequacy?

Even so, Privacy Shield will be a valid solution for transfers to the US.  American companies may begin to self-certify with the US Commerce Department from 1 August, and we expect to see many large US vendors taking up this option. Microsoft has concluded on its official blog that the Privacy Shield “meets each of [the] requirements…of… European data protection law”.

Privacy Shield gets approval: certainty at last?

ICO releases 12 step guide on the GDPR

On Monday this week the UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR.  The guide was launched as part of the ICO’s annual Data Protection Practitioners’ Conference, in Manchester.  The ICO also launched a new microsite on the GDPR (see below).

In its accompanying press release, the ICO emphasised that its role is “not just about enforcement and fines” and that the guide would help the ICO to do its work in “guiding organisations who want to make sure they’re following the new rules, and getting it right from the start”. This tallies with the message of the ICO at the conference – it is here to help organisations, but that there are steps that can be taken now to start preparing for the implementation of the GDPR.

Here is a summary::

  • Ensure there is awareness amongst key stakeholders in the organisation that the GDPR represents a major overhaul of data protection law in Europe and ensure they identify the areas of the GDPR that have the biggest impact on them.
  • document the personal data that they hold, where it came from and with whom they share it. The ICO suggests that this can be done through an information audit – this will be necessary to match the updated subject rights for the “networked world”.
  • review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • check existing procedures to ensure that they cover all the rights data subjects now have under the GDPR – both the enhanced rights and the additional right of data portability.
  • look at the various types of data processing they carry out, identify a legal basis under the GDPR for carrying it out and document it.
  • ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. This may also help a controller to rely on the “manifestly unfounded or excessive” exemption for subject access requests, help to readily produce the upgraded form of privacy notice or help to determine the lead supervisory authority.

Interestingly, many of these recommendations will already be in place for those with BCRs or who have done data audits following the recent Safe Harbor and Privacy Shield developments.  Clearly, now is the time to get your ‘data privacy’ house in order.

We think that the 12 step guide is a useful starting point for all businesses, especially those small-to medium-sized enterprises who may be intimidated by the (over 200-page) GDPR – it helps puts theory into practice and could hint at the ICO’s enforcement focus going forward.

We expect that it will be the first in a set of practical guidance issued by the ICO ahead of the GDPR. Indeed, the ICO has anticipated, in its accompanying blog entry, that over the next few months, it will “…be doing more work to consider the feedback we’ve received and produce a more detailed plan for the guidance, other tools and services we need to develop”. In this way, the ICO seems to be taking a phased and business-friendly approach to the GDPR.

The ICO has also launched a new microsite dpreform.org.uk – this will be the home for the ICO’s GDPR guidance; a key addition to your “favourites” bar.

It has also invited further feedback about the areas in which advice and guidance is most needed – so get in touch if you have any strong views. Watch this space as we see what else the ICO (and other European regulators) will produce on the GDPR

 

ICO releases 12 step guide on the GDPR